Skip links

DNA testing biz vows to improve infosec after criminals break into database it didn’t know it had

A DNA diagnostics company will pay $400,000 and tighten its security in the wake of a 2021 attack where criminals broke into its network and swiped personal data on over two million people from a nine-year-old “legacy” database the company forgot it had.

The genetic testing firm, DNA Diagnostics Center (DDC) reached a settlement deal with states’ attorneys general in Ohio and Pennsylvania last week, after the social security numbers of 45,000 residents of the two states was exposed, with each of the states getting $200k. Ultimately the 2021 attack exposed the data of over 2.1 million people who had undergone genetic testing across the US.

On its website, the company says its lab director, Dr Baird, has provided DNA expert consultation in cases including the OJ Simpson trial, the Anna Nicole Smith paternity case, and the Prince estate case. DDC offers paternity testing, immigration testing, veterinary DNA testing and forensic testing.

A criminals’ ransom, a decommissioned server, and a forgotten database

The stolen customer data had been previously bought by DDC from a British company in order to expand its business portfolio in 2012, court papers said, adding that “specifically, the breach involved databases that were not used for any business purpose, but were provided to DDC as part of a 2012 acquisition of Orchid Cellmark.”

DDC claimed the impacted databases, which contained “sensitive personal information” were inadvertently transferred to DDC from Orchid Cellmark without its knowledge and said it was not even “aware” that these legacy databases existed in its systems at the time of the breach – more than nine years after the acquisition. It also said it had done an inventory assessment and a systems penetration test; however, the “legacy databases that stored the sensitive personal information in plain text” were not identified during these tests because the assessments only focused on “active customer data.”

According to the settlement deal [PDF] it inked with Pennsylvania, the company ignored warnings from its MSP for months before taking action. “As early as May 28, 2021, DDC’s managed service provider began sending several automated alerts over a two-month period to DDC to notify the company that there was suspicious activity related to the Breach in DDC’s network.”

By August 2021, the service provider notified DDC that there were indications of Cobalt Strike malware observed on DDC’s network, “which finally led DDC to activate its incident response plan,” according to the settlement.

Legal news site Law360, meanwhile, quoted a DDC spokesperson as claiming its internal IT team had responded to a May email alert “through the decommissioning of technical assets that were potentially vulnerable.”

A DDC spokesperson told the Reg the decommissioning happened before the remediation program that began in August, and was done in response to the alert of suspicious activity.

According to the settlement:

DDC then paid the attacker in exchange for the deletion of stolen data, the settlement added.

The Ohio Attorney General claimed its investigation had found DDC engaged in “deceptive or unfair business practices” by making “material misrepresentations” in its customer-facing privacy policy. The policy will sound familiar to Reg readers, and read: “We are committed to protecting the security of your information. We use a variety of reasonable security technologies and procedures to help protect your information from unauthorized access, use, or disclosure. Access to your personal information is limited and we take reasonable measures to ensure that your personal information is not accessible.”

Under the terms of the settlement, DDC must improve its security practices, hire a cybersecurity boss and bin information that “doesn’t serve any business purposes” such as defunct DBs. The genetics testing business must also start implementing regular software updates, pentest its networks and add 2FA. And the company agreed it would investigate and respond to future suspicious network activity “within reasonable time periods.”

Ohio Attorney General Dave Yost said of the settlement: “Negligence is not an excuse for letting consumer data get stolen.” Acting Pennsylvania AG Michelle Henry added: “The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes.®

Updated to add:

A DDC spokesperson told The Reg: ”DDC also offered complimentary credit monitoring to eligible individuals out of an abundance of caution.  Additionally, DDC cooperated fully with the Attorneys General to assist anyone impacted by the incident,“ adding: “At present time, DDC is not aware of any reports of identity fraud or improper use of the information. Since the incident, DDC has been working with third-party experts to enhance our cybersecurity defenses.“