DNA testing center admits violating SSNs and bank details of more than 2 million people

DNA testing company has reported a data breach that disclosed the personal information – including social security numbers and banking information – of more than 2 million people, according to a notification letter the company sends to those affected .

Bleeping Computer, which first reported the breach, said 2,102,436 people had their information exposed by DNA Diagnostics Center, an Ohio-based DNA testing company.

In a notice shared on the company’s website, DNA Diagnostics Center said that on August 6, company officials discovered “potential unauthorized access to its network, in which there was unauthorized access and acquisition of an archived database containing personal information collected between 2004 and 2012. “

Further investigation revealed that hackers deleted files and folders from parts of the database between May 24 and July 28.

“The impacted database was associated with a national system for organizing genetic tests that DDC acquired in 2012. This system has never been used in DDC operations and has not been active since 2012. Therefore , the impacts of this incident are not associated with DDC. However, those affected may have seen their information, such as their social security number or payment information, impacted as a result, ”the company said in a statement.

“Upon learning of this issue, DDC proactively contained and secured the threat and conducted a prompt and thorough investigation in consultation with third-party cybersecurity professionals. DDC also coordinated closely with law enforcement after the incident was discovered. Our investigation determined that unauthorized persons potentially deleted certain files and folders from parts of our database between May 24, 2021 and July 28, 2021. DDC has been and remains fully operational, and systems and databases actively used by DDC were not infiltrated. The in-depth investigation ended on October 29, 2021 and DDC has started to notify those potentially affected by this incident. “

DDC added that the archived system has never been used directly by the company and that anyone whose personal information has been accessed is offered Experian credit monitoring.

They noted that if you were required to undergo relationship DNA testing in legal proceedings or underwent an independent individual test between 2004 and 2012, but did not receive a letter from the DDC, you must call 1-855-604-1656 for more information.

DDC has claimed it is working with cybersecurity experts to “reclaim” stolen information, but recommends anyone who believes their information may be involved set up a one-year “fraud alert” on their credit records.

DDC did not respond to requests for comment, but noted that it performs more than one million DNA tests each year.

Chris Clements, vice president of Cerberus Sentinel, criticized the DDC for “spurious attempts to deflect responsibility for the breach” because of his comments that the system was not directly associated with their company.

“It doesn’t matter which organization ‘started’ with the data, once you acquire it it becomes your responsibility. I might be more forgiving if the data was only recently obtained by DDC, but they have them now for almost a decade, ”Clements said.

“If you don’t know that a particular asset exists, you can’t start securing it properly. A second observation is the almost three-month delay between the onset of the breach and the first detection. DDC has failed. revealed what triggered the realization that they had suffered a cyberattack, but most organizations find that a compromise only occurred when contacted by a third party such as security researchers who tracked down a set of data stolen from the dark web to their business, or when contacted by the threat actor himself with extortion requests. “

Source link

Comments are closed.