A prominent DNA testing firm has settled a pair of lawsuits with the attorney generals of Pennsylvania and Ohio after a 2021 episode that saw cybercriminals steal data on 2.1 million people, including the social security numbers of 45,000 customers from both states. As a result of the lawsuits, the company in question, DNA Diagnostics Center (or DDC), will have to pay out a cumulative $400,000 to both governments and has also agreed to beef up its digital security practices. The company said it didn’t even know it had the data that was stolen because it was stored in an old database.
On its website, DDC calls itself the “world leader in private DNA testing,” and boasts of its lab director’s affiliation with a number of high-profile criminal cases, including the OJ Simpson trial and the Anna Nicole Smith paternity case. The company also claims that it is the “media’s primary source for answers to DNA testing questions” and that it’s considered the “premier laboratory to perform DNA testing for TV shows and radio programs.” While that may all sound very impressive, there’s definitely one thing DDC isn’t the “world leader” in—cybersecurity practices. Prior to the recent lawsuits, it doesn’t really sound like the company had any.
Evidence of the hacking episode first surfaced in May of 2021, when DDC’s managed service provider reached out via automated notification to inform the firm of unusual activity on its network. Unfortunately, DDC didn’t do much with that information. Instead, it waited several months before the MSP reached out yet again—this time to inform it that there was now evidence of Cobalt Strike on its network.
Cobalt Strike is a popular penetration testing tool that has frequently been co-opted by criminals to further penetrate already compromised networks. Unexpectedly finding it on your network is never a good sign. By the time DDC officially responded to its MSP’s warnings, a hacker had managed to steal data connected to 2.1 million people who had been genetically tested in the U.S., including the social security numbers of 45,000 customers from both Ohio and Pennsylvania.
The Register reports that the stolen data was part of a “legacy database” that DDC had amassed years ago and then apparently forgot that it had. In 2012, DDC had purchased another forensics firm, Orchid Cellmark, accumulating the firm’s databases along with the sale. DDC has subsequently claimed that it was unaware that the data was even in its systems, alleging that a prior inventory of its digital vaults turned up no sign of the information of millions of people that was later boosted by the hacker.
Not long after news of the data breach emerged, Ohio and Pennsylvania sued the company.
“Negligence is not an excuse for letting consumer data get stolen,” said Ohio Attorney General Dave Yost, of the incident. “We’re proud to partner with Pennsylvania to ensure that citizens’ personal data stays private —which consumers rightly expect.”
“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” said acting Attorney General of Pennsylvania Michelle A. Henry. “That’s why my Office took action with the assistance of Attorney General Yost in Ohio.”
As a result of the recent settlements, DCC will be forced to enact some basic protections. This includes hiring a professional CISO to oversee its information security program, conducting occasional security risk assessments of its network, maintaining an up-to-date asset inventory, designing and implementing “reasonable security measures” to protect its data, and developing a plan to respond to “suspicious network activity within its network within reasonable means”—all pretty basic stuff that most companies should do.