Skip to main content
crisis commscyber securitycybersecurityPRPR Resources

Crisis Communications and Cyberattacks – Lessons from 23andMe

By January 17, 2024No Comments

In our digital economy, cybersecurity breaches have become a daily occurrence. Organisations of all sizes must therefore conduct business knowing that it is a matter of when and not if, they will succumb to a cyberattack. And, when an attack does occur, having the right crisis comms strategy in place is critical to communicate with stakeholders, restore trust, and demonstrate how the issue is being resolved. For those of us working in cybersecurity PR, we see time and time again how a poor crisis comms strategy after a breach can exacerbate negative sentiment, and can sometimes create more damage than the breach itself.

With that said, the start of 2024 has provided an example of how a company should not act when faced with a security incident…

Recall in December 2023, when 23andMe, the personal genomics and biotech company that is famed for using genetics to learn about ancestry, announced it had suffered a data breach with hackers stealing information relating to 6.9 million users – estimated to be half of the customer base.

Fast forward to January 3, when faced with over 30 lawsuits from its victims, 23andMe shifted blame for the cyberattack to its victims to absolve itself of responsibility.

“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch in an email.

From a crisis comms standpoint, 23andMe’s response to its breach misses the mark completely. When the focus of the news is on the way a breach has been handled, this can result in irreparable reputational damage and often significant financial losses for the company.

In the case of the 23andMe breach, the decision to blame the victims has fuelled negative press, dodged responsibility, and failed to express any compassion towards those impacted.

While this is probably heavily driven by the company’s legal department, the letter’s tone has angered customers and fuelled backlash.

Ultimately, in many cases, the average person may not know that their password has been compromised elsewhere. It is up to an organisation to make sure that its security measures are robust enough to mitigate any end-user risk.

Publicly downplaying the risk and deflecting blame is undoubtedly poor PR. Cybersecurity breaches have become an unfortunate fact of modern life, making it critical that all organisations have a crisis comms plan in place, so they’re prepared to respond properly if an incident occurs.

Without this, companies risk misjudging their communications strategy, significantly exacerbating the fallout from a breach.

Once more, after the breach

As a bare minimum, your company should have a tested crisis communications plan in place, with all major stakeholders and spokespeople trained in the necessary processes. Then, in the event of a security incident, it is possible to act in the best interest of not only your customers, but also the company and its reputation, by:

  • Being quick with your response – as waiting or delaying will only lead to confusion.
  • Communicating with key stakeholders to provide important guidance on what’s being done to rectify the issue and how they can protect themselves
  • Being honest in all statements as best you can to help build credibility.
  • Remaining calm – you will get through it!


A detailed guide can be found here providing further explanation on crisis communications for incident response and covers key steps to follow, who should be involved in the crisis management team, why Crisis PR is different to regular PR, and how to create an effective crisis communications plan.