The DNA testing lab said it was not even aware that the legacy databases existed in its systems at the time of the breach. Credit: AVNphotolab / Ivanastar / Getty Images DNA Diagnostics Center, a DNA testing company, will pay a penalty of $400,000 to the attorneys general of Pennsylvania and Ohio for a data breach in 2021 that affected 2.1 million individuals nationwide, according to a settlement deal with the states’ attorneys general. The company will also be required to implement improvements to its data security, including updating the asset inventory of its entire network and disabling or removing any assets identified that are not necessary for any legitimate business purpose.Founded in 1995, DNA Diagnostic Center is a private DNA-testing company that offers diagnostic and genetic tests to help answer relationship, fertility, and health and wellness questions. The forgotten legacy dataDNA Diagnostics Center’s hacking incident involved legacy data from Orchid Cellmark, which the company had acquired in 2012 to expand its business portfolio. “Specifically, the breach involved databases that were not used for any business purpose, but were provided to DNA Diagnostic Center as part of a 2012 acquisition of Orchid Cellmark,” the settlement agreement said. DNA Diagnostic Center claimed that the breach impacted databases containing sensitive personal information, and that the data was accidentally transferred to the company without its knowledge. “DDC asserts it was not aware that these legacy databases existed in its systems at the time of the Breach — more than nine years after the acquisition,” the settlement agreement noted. “Negligence is not an excuse for letting consumer data get stolen,” Ohio Attorney General Dave Yost said in a statement. The stolen data was collected between 2004 and 2012. The joint investigation by Ohio and Pennsylvania found DNA Diagnostics Center made unfair and deceptive statements about its cybersecurity and failed to employ reasonable measures to detect and prevent a data breach, exposing its consumers to harm. The breach exposed the social security numbers and other personal data of about 33,300 consumers in Ohio, and about 12,600 in Pennsylvania. DNA Diagnostics Center will pay a $200,000 HIPAA fine to Ohio and a $200,000 HIPAA penalty to Pennsylvania.A two-month delay in actionDNA Diagnostic Center was alerted of suspicious activity by its third-party data breach monitoring vendor but the alerts were overlooked by the company. “The contractor repeatedly attempted to notify DNA Diagnostics through email, but company employees overlooked the emails for over two months,” the settlement agreement said. During this time period, the attackers installed Cobalt Strike malware in the company’s network and extracted data. Investigations revealed that the threat actor logged into a virtual private network on May 24, 2021 using a DNA Diagnostic Center user account and harvested active directory credentials from a domain controller that provided password information for each account in the network. The settlement agreement also noted that when the threat actor initially accessed the VPN, DNA Diagnostic Center had migrated to a different VPN and no users should have been using the VPN the threat actor used for remote access. On June 16, 2021, the threat actor used a test account that had administrator privileges to create a persistence mechanism that executed Cobalt Strike throughout the environment.Between July 7, 2021, and July 28, 2021, the threat actor accessed five servers and collectively backed up a total of 28 databases from the servers using a decommissioned server. In September 2021, the threat actor contacted the company and demanded payment. The company made the payment to the hacker in exchange for the deletion of stolen data, the settlement agreement noted. Terms of settlementThe settlement requires DNA Diagnostics Center to maintain reasonable security policies designed to protect consumer personal information. It also requires the lab to designate an employee to coordinate and supervise its information security program. The DNA testing company will also have to conduct security risk assessments of its networks that store personal information annually, maintain an updated asset inventory of the entire network and disable or remove any assets identified that are not necessary for any legitimate business purpose. The company will have to design and implement reasonable security measures for the protection and storing of personal information, including timely software updates, penetration-testing of its networks, and implementation of reasonable access controls such as multi-factor authentication, and detect and respond to suspicious network activity within its network within reasonable means, the settlement statement added. Related content news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe