DNA Diagnostics Center (DDC) has settled a lawsuit, agreeing to pay $400,000 to Pennsylvania and Ohio over a breach that resulted in attackers taking data on 2.1 million people.
DDC, a DNA testing firm, agreed to pay both states $200,000 and promised to tighten its security practices, court documents show.
The costly breach occurred in May 2021 after threat actors accessed a database DDC inherited from another DNA testing business, Orchid Cellmark, which DDC acquired in 2012.
DDC claims the company wasn’t aware that the acquisition transferred a legacy database containing personally identifiable information (PII). Even though the company’s security team performed inventory assessment and penetration tests, the legacy databases were missed.
Lax oversight led to threat actors accessing 28 databases with information on 2.1 million US citizens, including the social security numbers of over 45,000 people who were subject to genetic testing between 2004 and 2012.
The threat actor got a hold of the database by logging into a VPN with a DDC user account.
“When the threat actor initially accessed the VPN, DDC had migrated to a different VPN and no users should have been using the VPN the threat actor used for remote access,” court documents say.
As part of the settlement, DDC was ordered to improve its security practices, hire cybersecurity staff and dispose of user information the company is not using for business purposes.
More from Cybernews:
Subscribe to our newsletter