10/29/2023 0 Comments Dna diagnostics center ddcProsecutors accused the company of violating several laws including the Consumer Protection Law due to their misrepresentation of efforts to protect consumer data. DDC paid the hacker an undisclosed amount to delete the data. ![]() In total, the hacker accessed five servers and stole 28 databases, eventually contacting DDC in September 2021 demanding payment in exchange for the stolen data. The DDC investigation found that on May 24, someone logged into a company VPN using DDC credentials and used the access to obtain a directory of credentials for all accounts on the network. DDC kickstarted its incident response plan after that notice. The same managed service provider repeatedly contacted DDC to warn them that the network was being accessed but was ignored until August, when the hacker installed Cobalt Strike malware. Investigators said DDC conducted a penetration test after the acquisition but only focused on databases with “active customer data.” By May 28, 2021, DDC received an automated alert from its managed service provider indicating that "suspicious activity" was occurring related to the Orchid Cellmark unit's network. Prosecutors for both states said the issue began with DDC's 2012 acquisition of Orchid Cellmark's government paternity business. The leaked information included Social Security numbers and healthcare data. Of the 2.1 million people who had data leaked, 12,663 were from Pennsylvania and 33,282 were from Ohio. “That’s why my Office took action with the assistance of Attorney General Yost in Ohio.” “The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” Pennsylvania's acting Attorney General Michelle Henry said. The announcement from DNA Diagnostics Center (DDC) comes after a lawsuit filed by the two states' attorneys general accused the company of waiting three months to even acknowledge the breach. One of the largest commercial DNA testing companies in the world agreed to pay a $400,000 fine to Ohio and Pennsylvania after a 2021 data breach compromised the information of more than 2 million people. Still, most organizations discover a compromise has occurred only when contacted by a third party such as security researchers that have traced a stolen dataset on the dark web back to their company or when contacted by the threat actor themselves with extortion demands.DNA Diagnostics Center to pay $400,000 fine for 2021 data breach ![]() DDC has not revealed what triggered the realization that they had suffered a cyberattack. A second observation is an almost three-month delay between the beginning of the breach and the first detection. "If you aren't aware a given asset exists, you can't begin to secure it properly. I might be more forgiving if the data was only recently obtained by DDC, but by now, they've had it nearly a decade," Clements said. "It doesn't matter what organization 'started' with the data once you acquire it, it becomes your responsibility. ![]() Chris Clements, a vice president at Cerberus Sentinel, criticized DDC for "disingenuously attempting to deflect responsibility for the breach" due to their comments about the system not being associated with their company directly.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |