Security News > 2023 > February > DNA testing biz vows to improve infosec after criminals break into database it forgot it had
A DNA diagnostics company will pay $400,000 and tighten its security in the wake of a 2021 attack where criminals broke into its network and swiped personal data on over two million people from a nine-year-old "Legacy" database the company forgot it had. The genetic testing firm, DNA Diagnostics Center reached a settlement deal with states' attorneys general in Ohio and Pennsylvania last week, after the social security numbers of 45,000 residents of the two states was exposed, with each of the states getting $200k.
DDC offers paternity testing, immigration testing, veterinary DNA testing and forensic testing.
"As early as May 28, 2021, DDC's managed service provider began sending several automated alerts over a two-month period to DDC to notify the company that there was suspicious activity related to the Breach in DDC's network."
By August 2021, the service provider notified DDC that there were indications of Cobalt Strike malware observed on DDC's network, "Which finally led DDC to activate its incident response plan," according to the settlement.
DDC then paid the attacker in exchange for the deletion of stolen data, the settlement added.
Under the terms of the settlement, DDC must improve its security practices, hire a cybersecurity boss and bin information that "Doesn't serve any business purposes" such as defunct DBs. The genetics testing business must also start implementing regular software updates, pentest its networks and add 2FA. And the company agreed it would investigate and respond to future suspicious network activity "Within reasonable time periods."
News URL
https://go.theregister.com/feed/www.theregister.com/2023/02/20/dna_testing_firm_pays_200k/