This article is more than 1 year old
DNA testing biz vows to improve infosec after criminals break into database it forgot it had
Settles lawsuit with two states after wider leak that affected millions
A DNA diagnostics company will pay $400,000 and tighten its security in the wake of a 2021 attack where criminals broke into its network and swiped personal data on over two million people from a nine-year-old "legacy" database the company forgot it had.
The genetic testing firm, DNA Diagnostics Center (DDC) reached a settlement deal with states' attorneys general in Ohio and Pennsylvania last week, after the social security numbers of 45,000 residents of the two states was exposed, with each of the states getting $200k. Ultimately the 2021 attack exposed the data of over 2.1 million people who had undergone genetic testing across the US.
On its website, the company says its lab director, Dr Baird, has provided DNA expert consultation in cases including the OJ Simpson trial, the Anna Nicole Smith paternity case, and the Prince estate case. DDC offers paternity testing, immigration testing, veterinary DNA testing and forensic testing.
A criminals' ransom, a decommissioned server, and a forgotten database
The stolen customer data was previously bought by DDC from another company in order to expand its business portfolio in 2012, court papers said, adding that "specifically, the breach involved databases that were not used for any business purpose, but were provided to DDC as part of a 2012 acquisition of Orchid Cellmark."
DDC claimed the impacted databases, which contained "sensitive personal information" were inadvertently transferred to DDC from Orchid Cellmark without its knowledge and said it was not even "aware" that these legacy databases existed in its systems at the time of the breach – more than nine years after the acquisition. It also said it had done an inventory assessment and a systems penetration test; however, the "legacy databases that stored the sensitive personal information in plain text" were not identified during these tests because the assessments only focused on "active customer data."
According to the settlement deal [PDF] it inked with Pennsylvania, the company received warnings from its MSP for months before taking action. "As early as May 28, 2021, DDC's managed service provider began sending several automated alerts over a two-month period to DDC to notify the company that there was suspicious activity related to the Breach in DDC's network."
By August 2021, the service provider notified DDC that there were indications of Cobalt Strike malware observed on DDC's network, "which finally led DDC to activate its incident response plan," according to the settlement.
A DDC spokesperson told The Register its internal IT team had responded to a May email alert "through the decommissioning of technical assets that were potentially vulnerable." DDC said the decommissioning happened before the remediation program that began in August, and was done in response to the alert of suspicious activity.
However, according to the settlement, an attacker used a decommissioned server to exfiltrate the data:
Between July 7, 2021 and July 28, 2021, the threat actor accessed five servers and collectively backed up a total of 28 databases from the servers. In order to exfiltrate the data out of DDC's environment, the threat actor used a decommissioned server.
In September 2021, the threat actor contacted DDC and informed the company that the threat actor successfully exfiltrated sensitive personal information from DDC's network and demanded payment.
DDC then paid the attacker in exchange for the deletion of stolen data, the settlement added.
- NIST says you better dump weak SHA-1 ... by 2030
- Ransomware crooks steal 3m+ patients' medical records, personal info
- Former Uber CSO convicted for covering up massive 2016 data theft
- Database containing personal info on 106m people who traveled to Thailand found open to the internet – report
The Ohio Attorney General claimed its investigation had found DDC engaged in "deceptive or unfair business practices" by making "material misrepresentations" in its customer-facing privacy policy. The policy will sound familiar to Reg readers, and read: "We are committed to protecting the security of your information. We use a variety of reasonable security technologies and procedures to help protect your information from unauthorized access, use, or disclosure. Access to your personal information is limited and we take reasonable measures to ensure that your personal information is not accessible."
Under the terms of the settlement, DDC must improve its security practices, hire a cybersecurity boss and bin information that "doesn't serve any business purposes" such as defunct DBs. The genetics testing business must also start implementing regular software updates, pentest its networks and add 2FA. And the company agreed it would investigate and respond to future suspicious network activity "within reasonable time periods."
Ohio Attorney General Dave Yost said of the settlement: "Negligence is not an excuse for letting consumer data get stolen." Acting Pennsylvania AG Michelle Henry added: "The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes.®
Updated to add:
A DDC spokesperson told The Reg: ”DDC also offered complimentary credit monitoring to eligible individuals out of an abundance of caution. Additionally, DDC cooperated fully with the Attorneys General to assist anyone impacted by the incident,“ adding: “At present time, DDC is not aware of any reports of identity fraud or improper use of the information. Since the incident, DDC has been working with third-party experts to enhance our cybersecurity defenses.“