With the typical person having dozens of online accounts that contain personal information, the significance of cyber security is at an all-time high. One such case that highlights the importance of efficient cyber measures is the security breach at ancestry and genetics company, 23andMe.

23andMe revealed to California regulators that it hadn’t detected malicious access to its user accounts for months. What began as an account breach in October turned into a significant data leak with personal data from 6.9 million users impacted. The breach stemmed from attackers compromising roughly 14,000 user accounts – an intrusion that went unnoticed for an unsettling period of time.

23andMe Collection Kit - Security Incident
23andMe Collection Kit – Security Incident

➜ Details of the Security Breach: What Actually Happened?

23andMe has claimed that the account intrusions were mainly due to users setting weak or reused passwords. Yet, the disclosure from a state-mandated filing in California tells a different story. It points out that attackers started compromising customer accounts as early as April, spanning through September without the company detecting any suspicious activity.

Infecting Then “Waiting It Out”

It is common practice for hackers to have malicious code lying in wait for the perfect opportunity to strike.

This lengthy period of undetected intrusion underscores the need for companies to implement robust cybersecurity measures that would’ve detected this leak sooner as well as account monitoring and user education/standards for password security.

The incident raises questions about how security protocols are being handled within many large companies that house people’s private data. It’s becoming increasingly crucial for companies like 23andMe to learn from these errors and build a safer online environment that its users can trust.

What Businesses Can Learn

In light of the 23andMe data breach, businesses are starkly reminded of the paramount importance of safeguarding customer data. This incident not only underscores the vulnerabilities inherent in digital enterprises but also serves as a potent learning opportunity for organizations across the spectrum to reinforce their data protection strategies.

Here are key lessons:

  • Prioritize Data Security: Implement robust security measures, including encryption, frequent security audits, and intrusion detection systems, to protect against unauthorized access.
  • Regularly Update Systems: Ensure that all software and systems are up-to-date with the latest security patches and updates to guard against vulnerabilities.
  • Enhance User Authentication: Adopt multi-factor authentication to add an additional layer of security, making it more challenging for unauthorized users to gain access.
  • Instill a Culture of Security Awareness: Foster an organizational culture that emphasizes the importance of data privacy and security through regular training and awareness programs.
  • Develop a Comprehensive Incident Response Plan: Prepare for potential breaches with a well-defined incident response plan that outlines steps for containment, assessment, notification, and recovery.

➜ Cyber Security is No Longer Optional

Businesses must view the 23andMe data breach not just as a cautionary tale, but as a catalyst for enhancing their own data protection practices. We have arrived at a time where the security of customer information is integral to maintaining trust, credibility, and competitive advantage.

If you’re ready to take that next step in keeping your business and customers safe, NOYNIM would love to talk with you. Contact us today to schedule a cyber security consultation:


We're happy to answer any questions you may have, feel free to call us at
(720) 524-8616