DNA Diagnostics Center (DDC) filed a data breach notification with the Maine Attorney General’s office disclosing that hackers accessed sensitive details of more than 2.1 million people.
The notification reveals that the breach affected an archived database containing personal information collected between 2004 and 2012 associated with the national genetic testing organization system it acquired in 2012.
However, the DNA testing firm said it acted swiftly and secured the threat after detecting unauthorized network access.
Additionally, the leading paternity testing company notified law enforcement officials and commenced an investigation with third-party cyber forensics.
DNA testing firm data breach exposed payment and personal information
DDC concluded its investigations on October 29, and started notifying the affected individuals who received DNA testing between 2002 and 2012. The company data breach notification also discloses that unauthorized individuals potentially removed certain files and folders from the database between May 24 to July 28. The DNA testing firm is working to regain possession of the exfiltrated files.
According to the technology website BleepingComputer that first reported the data breach, hackers accessed the victims’ full names, social security numbers, credit and debit card numbers and CVV, their financial account number, and the breached system’s password.
“The DDC data breach demonstrates the breadth of information we as consumers possess and willingly give up to vendors and service providers,” commented Trevor Morgan, Product Manager with comforte AG. “While this incident-which reportedly affects over 2 million data subjects-compromised only financial, transactional, and account data, the organization maintains records containing PHI and other sensitive health information too (DNA testing, ancestry information), information that fortunately wasn’t compromised in the incident.”
The good news is that no genetic information was stolen, and the breach was limited to the archived system. DDC said the archived database was not in active use, and its current system was not affected.
“This system has never been used in DDC’s operations and has not been active since 2012,” the company said. “DDC has been and remains fully operational, and the systems and databases that are actively used by DDC were not infiltrated.”
However, the DNA testing firm also tried to distance itself from some impact of the data breach.
“DDC acquired certain assets from this national genetic testing organization in 2012 that included certain personal information, and therefore, impacts from this incident are not associated with DDC.”
Chris Clements, Vice President at Cerberus Sentinel, slammed the company for trying to shift the blame.
“It doesn’t matter what organization ‘started’ with the data; once you acquire it, it becomes your responsibility,” said Clements. “I might be more forgiving if the data was only recently obtained by DDC, but by now, they’ve had it nearly a decade.”
Measures for those affected by the data breach
DDC is offering one-year free credit monitoring services through Experian to protect the affected people from identity theft. The DNA testing firm also advised any customer who suspects they might be affected to place a fraud alert on their credit files. They should also check whether they are eligible for complimentary credit monitoring services from the contracted firm.
Victims should remain vigilant for fraudulent activity on their bank accounts and report to the relevant authorities immediately.
Jonathan Knudsen, Senior Software Strategist, Synopsys Software Integrity Group, says that data breach involving DNA is alarming because, unlike credit cards, it cannot be changed.
“You can change your phone number, your address, your credit cards, and your user names and passwords. But your DNA will always be your DNA. That makes news of a data breach at DDC especially alarming.”
“A holistic approach to application security can prevent incidents like this. For sensitive data like DNA, defenses should be applied in layers,” added Knudsen. “This is only effective when security is part of the application design from the very beginning. During development, rigorous security testing helps to minimize vulnerabilities. When the application is deployed, continuous monitoring and quick response to incidents helps keep risk to a minimum.”