DNA testing company fined after customer data theft

DNA Diagnostics Center (DDC), an Ohio-based private DNA testing company, last week reached a settlement deal with the Ohio and Pennsylvania state attorneys general in relation to a 2021 breach that saw the theft of 45,000 residents‘ personal details. Overall the attack compromised over 2.1 million customers who had undergone genetic testing across the US.

The company will pay a total fine of $400,000 for Ohio and Pennsylvania—and has promised to tighten its information security.

What happened in the 2021 breach

When DDC acquired Orchid Cellmark, a British company also in the DNA testing industry, as part of its business expansion in 2012, the company didn’t know that it also inherited legacy databases that kept personally identifiable information (PII) in plain text form. According to court documents, “the Breach’s impacted databases, containing sensitive personal information, were inadvertently transferred to DDC without its knowledge. Moreover, DDC asserts it was not aware that these legacy databases existed in its systems at the time of the Breach—more than nine years after the acquisition.”

DDC said it conducts both inventory assessment and penetration testing on its systems. But since it was unaware of the unused databases, they were not included during the tests as the assessments focused only on those with active customer data.

In May 2021, one of DDC’s MSPs (managed service providers) began sending automated alerts over a two-month period about suspicious activities within its network. Court documents didn’t reveal why DDC didn’t act on the alerts, but three months after, the same MSP notified DDC again, this time about Cobalt Strike malware activity in its network. This triggered the company’s incident response plan.

According to the investigation, an attacker logged into the old VPN (virtual private network) that DDC used before migrating to a new one using a compromised employee account. It’s not known how this account ended up in the attacker’s hands, but they were able to harvest Active Directory (AD) credentials from a domain controller, a server providing security authentication for users. Weeks after, the attacker used a test account with administrator privileges to establish persistence in the now-compromised environment. They then unleashed Cobalt Strike.

In the following weeks, the attacker accessed five servers and copied 28 databases. They then exfiltrated data from DDC using a decommissioned server. Finally, in September, the attacker contacted DDC to extort payment for all the data they had. The company paid up to have all copied data deleted.

No threat group has owned up to the attack.

The Commonwealth took issue with DDC engaging in “deceptive or unfair business practices by making material misrepresentations in its customer-facing privacy policy concerning the safeguarding of its customers’ personal information.” Evidence of this was when DDC “disseminated, or caused to be disseminated” statements in its Privacy Policy, stating the company is committed to protecting the information of its clients. Yet, the Commonwealth alleges it “failed to employ reasonable measures to detect and prevent unauthorized access to its computer network,” leading to the compromise of Pennsylvanians’ data. 

“Negligence is not an excuse for letting consumer data get stolen,” said Ohio Attorney General Dave Yost in a statement. Acting Attorney General Michelle Henry added, “The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes.”

Terms of settlement

DDA is required to develop an information security program that is “reasonably designed” to protect user data. An employee or third-party service provider with appropriate credentials and expertise must be assigned to oversee the prram.

The company is also ordered to conduct comprehensive annual risk assessments of its networks where sensitive client data are stored, maintain an asset inventory, create and implement an incident response plan, and remove any assets that are not used or necessary for business purposes. 

Lastly, DDA must create and implement security measures for the overall protection of personal data it stores, including regularly updating software, controlling user access (such as the use of two-factor authentication), conducting network penetration testing, segmenting the network, and maintaining a central log management system, among others.

The infosec program must be developed and implemented within 180 days (six months).

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.