News

What the 23andMe Hack Tells Us – Tech Firm Crisis Communications
December 11, 2023

As specialists in Crisis Communications training for tech firms, we’ve been fascinated to follow the story of the last week of 23andMe. In case you missed it, the DNA testing company admitted that it had been hacked and that hackers took personal data from nearly 7 million customers– a huge increase on the roughly 14,000 it admitted in October. We regularly help tech companies to prepare for crises such as hacks. This case is particularly serious as it exposes some very sensitive information from customers, including their family history, relationships with others and details of their chromosomes. Any hack is critical and potentially unpleasant, given that people’s personal data is being shared and their trust abused. The 23andMe hack has added unpleasantness and controversy because of the racist and anti-Semitic comments expressed by the hackers.

And it gets worse. One of the company’s clients whose details were released is Rob Joyce, cyber security director of the US National Security Council. This latest hacking incident demonstrates the importance of having a crisis communication strategy fully prepared and ready for tech companies at a moment’s notice.

The Golden Hour

We work with a growing number of tech companies to ensure that if – OK, let’s be honest when something goes wrong, they can respond immediately. In crisis communications training, we used to talk about “the golden hour”. This was the time in which an organisation that had suffered a crisis could get onto the front foot, putting out messages and establishing its narrative. If they took more than an hour to do this, they would probably find themselves constantly having to respond to the latest allegations or criticism. With the advent of social media and the citizen reporter, that window to take the initiative and gain control of the story is more likely to be just a few minutes.

In our crisis Media Training for tech firms, we work closely with their in-house communications teams and public relations companies to identify where threats could come from and how senior management might learn about them.

We then examine how those senior leaders can act quickly to take the initiative and get ahead of the story. They must decide on the messages that they want to put across. We advise those taking part in our crisis Communications training for tech firms to start with sympathy. This doesn’t mean that you have to admit that you’ve made a mistake and apologise. It just means that you need to sound human and understanding. Looking at the coverage of the 23andMe hack, it’s difficult to find much sympathy for customers who might feel frightened, vulnerable, and angry as a result of this hack.

Showing Productivity

We also advise the tech companies doing our crisis communications courses to demonstrate to the public that they are taking action. One example of this action is, of course, to carry out an investigation. As well as showing that you are doing something, this also means that you can answer many journalists’ questions and counter the media’s tendency to speculate by pointing out that it’s too early to comment at this stage and that you’ll have to wait for the investigation to report.

As tech firms’ crisis communications consultants, we advise people to talk about their third-party and independent associations. Can you say you follow all regulations and comply with the regulators’ requirements? This can help to persuade audiences that you’ve done all that you can to prevent this data breach from happening.

Keeping a Consistent Message

Very often, the tech firms we provide crisis communications for serve several clients. This can be embarrassing and potentially very damaging for the firms, but also for their clients. We, therefore, advise the senior managers doing our crisis communications workshops for tech firms to ensure that they’re giving the same message to their clients and that the communication between all stakeholders is coordinated. All of our trainers are working journalists (operating under strict nondisclosure agreements), and they know that when they’re reporting on a crisis in their day job, finding some discrepancy between the various parties involved makes a better story – from their point of view, that is. This cacophony of different messages and conflicting claims about what happened when creates even more of a problem for the companies affected by the crisis.

One of the mistakes that 23andMe has made is changing their story and withholding certain information, which, inevitably, has since been made public. In October, the company told the US Securities and Exchange Commission that 14,000 accounts had been hacked only because those customers were using login details that had been compromised in other hacking incidents. However, the company has a social network that allows customers to match with others who might have similar DNA and might, therefore, be relatives. It turns out that the hackers were able to scrape data from this part of the site to access the personal details of 6.9 million people.

23andMe is currently involved in a series of claims and counterclaims with Rob Joyce and other parties. Media coverage has inevitably featured comments from cyber security consultants and others questioning the claims and reassurances from the company.

Tell it All, Tell it Quickly and Tell it Truthfully

In our crisis communications courses for tech companies, we advise them to “Tell it all, tell it quickly and tell it truthfully.” This means releasing all the information you can as soon as possible. It might sound counterintuitive – surely if something hasn’t yet come into the public domain, you wouldn’t want to release it? Although this is entirely understandable. The point is that this information almost certainly will become public at some point, and the danger is that not only does this keep the story running and give it “legs”, as we say, but it also looks like you are trying to hide something. You’re being forced to respond to this revelation. Releasing the facts yourself makes you look in control of the situation.

It also suggests that you’re honest, and, very importantly, it gets the story out there in one bite, limiting its longevity. Finally, it means that the media is more likely to come to you for information since you’re obviously being transparent and proactive, and they’re less likely to go for those talking heads who can pop up to express an opinion and pile the pressure on you.

Crisis Communication Preparation Courses

The 23andMe hack shows that not only are the risks to tech companies increasing, but it’s still possible to handle a hack or crisis situation badly. Our Crisis Communications training courses for tech companies can’t prevent a hack from happening, but they can help you greatly reduce its negative impact.

Please call 07958 239892 or email gareth@communicatemedia.com.

Alternatively, fill in this contact form.

Related Articles