{"id":50669,"date":"2023-02-21T16:45:36","date_gmt":"2023-02-21T16:45:36","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/34347\/DNA-Testing-Biz-Vows-To-Improve-Infosec-After-Database-Is-Pilfered.html"},"modified":"2023-02-21T16:45:36","modified_gmt":"2023-02-21T16:45:36","slug":"dna-testing-biz-vows-to-improve-infosec-after-database-is-pilfered","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/dna-testing-biz-vows-to-improve-infosec-after-database-is-pilfered\/","title":{"rendered":"DNA Testing Biz Vows To Improve Infosec After Database Is Pilfered"},"content":{"rendered":"

A DNA diagnostics company will pay $400,000 and tighten its security in the wake of a 2021 attack where criminals broke into its network and swiped personal data on over two million people from a nine-year-old “legacy” database the company forgot it had.<\/p>\n

The genetic testing firm, DNA Diagnostics Center (DDC) reached a settlement deal with states’ attorneys general in Ohio and Pennsylvania last week, after the social security numbers of 45,000 residents of the two states was exposed, with each of the states getting $200k. Ultimately the 2021 attack exposed the data of over 2.1 million people who had undergone genetic testing across the US.<\/p>\n

On its website<\/a>, the company says its lab director, Dr Baird, has provided DNA expert consultation in cases including the OJ Simpson trial, the Anna Nicole Smith paternity case, and the Prince estate case. DDC offers paternity testing, immigration testing, veterinary DNA testing and forensic testing.<\/p>\n

A criminals’ ransom, a decommissioned server, and a forgotten database<\/h3>\n

The stolen customer data had been previously bought by DDC from a British company in order to expand its business portfolio in 2012, court papers said, adding that “specifically, the breach involved databases that were not used for any business purpose, but were provided to DDC as part of a 2012 acquisition of Orchid Cellmark.”<\/p>\n

DDC claimed the impacted databases, which contained “sensitive personal information” were inadvertently transferred to DDC from Orchid Cellmark<\/a> without its knowledge and said it was not even “aware” that these legacy databases existed in its systems at the time of the breach \u2013 more than nine years after the acquisition. It also said it had done an inventory assessment and a systems penetration test; however, the “legacy databases that stored the sensitive personal information in plain text” were not identified during these tests because the assessments only focused on “active customer data.”<\/p>\n