A prominent DNA testing firm has settled a pair of lawsuits with the attorney generals of Pennsylvania and Ohio after a 2021 episode that saw cybercriminals steal data on 2.1 million people, including the social security numbers of 45,000 customers from both states. As a result of the lawsuits, the company in question, DNA Diagnostics Center (or DDC), will have to pay out a cumulative $400,000 to both governments and has also agreed to beef up its digital security practices. The company said it didn’t even know it had the data that was stolen because it was stored in an old database.
On its website, DDC calls itself the “world leader in private DNA testing,” and boasts of its lab director’s affiliation with a number of high-profile criminal cases, including the OJ Simpson trial and the Anna Nicole Smith paternity case. The company also claims that it is the “media’s primary source for answers to DNA testing questions” and that it’s considered the “premier laboratory to perform DNA testing for TV shows and radio programs.” While that may all sound very impressive, there’s definitely one thing DDC isn’t the “world leader” in—cybersecurity practices. Prior to the recent lawsuits, it doesn’t really sound like the company had any.
Evidence of the hacking episode first surfaced in May of 2021, when DDC’s managed service provider reached out via automated notification to inform the firm of unusual activity on its network. Unfortunately, DDC didn’t do much with that information. Instead, it waited several months before the MSP reached out yet again—this time to inform it that there was now evidence of Cobalt Strike on its network.
Cobalt Strike is a popular penetration testing tool that has frequently been co-opted by criminals to further penetrate already compromised networks. Unexpectedly finding it on your network is never a good sign. By the time DDC officially responded to its MSP’s warnings, a hacker had managed to steal data connected to 2.1 million people who had been genetically tested in the U.S., including the social security numbers of 45,000 customers from both Ohio and Pennsylvania.
The Register reports that the stolen data was part of a “legacy database” that DDC had amassed years ago and then apparently forgot that it had. In 2012, DDC had purchased another forensics firm, Orchid Cellmark, accumulating the firm’s databases along with the sale. DDC has subsequently claimed that it was unaware that the data was even in its systems, alleging that a prior inventory of its digital vaults turned up no sign of the information of millions of people that was later boosted by the hacker.
[…]
Source: DNA Diagnostics Center Forgot About Clients’ Data, Leaked It
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft