DNA company pays $400k for leaking sensitive data

DNA Diagnostics Center (DDC) has settled a lawsuit, agreeing to pay $400,000 to Pennsylvania and Ohio over a breach that resulted in attackers taking data on 2.1 million people.

DDC, a DNA testing firm, agreed to pay both states $200,000 and promised to tighten its security practices, court documents show.

The costly breach occurred in May 2021 after threat actors accessed a database DDC inherited from another DNA testing business, Orchid Cellmark, which DDC acquired in 2012.

DDC claims the company wasn’t aware that the acquisition transferred a legacy database containing personally identifiable information (PII). Even though the company’s security team performed inventory assessment and penetration tests, the legacy databases were missed.

Lax oversight led to threat actors accessing 28 databases with information on 2.1 million US citizens, including the social security numbers of over 45,000 people who were subject to genetic testing between 2004 and 2012.

The threat actor got a hold of the database by logging into a VPN with a DDC user account.

“When the threat actor initially accessed the VPN, DDC had migrated to a different VPN and no users should have been using the VPN the threat actor used for remote access,” court documents say.

As part of the settlement, DDC was ordered to improve its security practices, hire cybersecurity staff and dispose of user information the company is not using for business purposes.

More from Cybernews:

Meta and Twitter's move to milk users might backfire

One year of Russia’s cyberwar in Ukraine: what we have learned

Dole ransomware attack shuts down entire North American production

Threat group using ancient Hindu sage name as smokescreen, analyst suggests

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked