DNA Diagnostics Center (DDC), a US-based DNA testing service suffered a data breach in November 2021, in which hackers managed to access highly sensitive and personal data of users, including payment card details.
DNA Diagnostics Center (DDC) has agreed to pay $400,000 to settle the lawsuits filed against it by the attorneys general of Pennsylvania and Ohio after a 2021 data breach affecting 2.1 million.
The breach, which was reported by Hackread.com, initially occurred in May 2021, but the company did not take any further action at the time. It was only when DDC’s managed service provider reached out again to inform the company about evidence of Cobalt Strike malware on its network that it acted to secure its systems.
However, by that time, a hacker had acquired data from more than 2,102,436 customers. This data included the social security numbers of 45,000 customers from Ohio and Pennsylvania.
The stolen data belonged to a legacy database that DDC inherited from another DNA testing company, Orchid Cellmark, after acquiring it in 2012.
DDC claimed that it had no knowledge of the database’s existence in its systems, and despite the company’s inventory assessment and penetration tests, the legacy databases did not show up.
This oversight led to threat actors accessing 28 databases containing personally identifiable information (PII) of people who had undergone genetic testing between 2004 and 2012. After the emergence of news about the data breach, Ohio and Pennsylvania sued the company.
- The Forgotten Victims of Data Breach
- Police deleted 150k arrest records, DNA data
- DNA contractor breach exposed Police’s rape kit data
- MyHeritage DNA testing site hacked; 92m accounts stolen
“Negligence is not an excuse for letting consumer data get stolen,” said Ohio Attorney General Dave Yost, of the incident. “We’re proud to partner with Pennsylvania to ensure that citizens’ personal data stays private —which consumers rightly expect.”
“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” said acting Attorney General of Pennsylvania Michelle A. Henry. “That’s why my Office took action with the assistance of Attorney General Yost in Ohio.”
As part of the settlement, DDC agreed to improve its security practices, hire a Chief Information Security Officer (CISO) to oversee its security department, conduct regular security risk assessments, maintain an updated asset inventory and develop a plan to respond to a security threat on the network.