When the UK’s Information Commissioner’s Office (ICO) concluded its investigation into the 2023 23andMe breach, it was clear the findings were taken seriously. The company worked closely with the Office of the Privacy Commissioner of Canada to clarify the sequence of events leading up to the breach, demonstrating a collaborative, transparent response that many organizations can learn from.

23andMe acknowledged the distress and concern caused to its customers and reaffirmed its commitment to protecting their personal information. That kind of transparency is no longer optional, especially when your business is built on sensitive data like genetic health insights.

In the aftermath, 23andMe implemented a suite of improved cybersecurity hygiene measures. These included:

• Strengthened authentication protocols

• Mandatory multi-factor authentication (MFA) for all users

• Enhanced detection and response systems

• Better internal monitoring

• Extra verification steps for downloading raw genetic data

What was very encouraging is they have seen this event as an improvement opportunity and have confirmed commitment to maintaining an open dialogue with regulatory bodies and continuously learning from these experiences to further strengthen their security posture.

Given they provide individuals with insights into their health and ancestry, maintaining trust is paramount and as such they have stated the will continue to invest in advanced security technologies and practices to ensure the integrity and confidentiality of their data.  

For security leaders, this incident reinforces the importance of understanding your own attack surface and your digital supply chain. Because your cyber posture isn’t just about the tools you deploy, it’s also about:

• Knowing which assets are exposed

• Understanding third-party dependencies

• Prioritising controls based on business impact

• Continuously adapting to emerging threats

At ThingsRecon, we help organizations discover what’s truly exposed, classify cyber asset importance, and map risk across supply chains with context, not just inventory. If these capabilities sound helpful, especially as regulations like NIS2 and DORA put a spotlight on cyber resilience, reach out to us.

‍