RISKS

What happened

In a press release issued in late November 2021, DNA Diagnostics Center (DDC) explained that on August 6, they detected unauthorized access to their network. The investigation determined that the unauthorized access and data exfiltration was confined to a database DDC had acquired in 2012 when it purchased a national genetic testing service (reportedly Orchid Cellmark). The compromised database contained older backups dating between 2004 and 2012, and it’s not linked to the active systems and databases used by DDC today.

The incident resulted in a confirmed data breach that occurred between May 24 and July 28, 2021, and the firm concluded its internal investigation on October 29, 2021. There were over 2.1 million people impacted and the data accessed reportedly included name, credit card numbers including CVV, debit card numbers including CVV, financial account numbers, and platform account passwords. DDC also identified in their announcement that SSN data may have been exposed as well and stated that it has “has taken steps, in coordination with its third-party cybersecurity experts, to regain possession of this personal information and ensure its safekeeping”.

 

Why is this important?

This data from “older backups dating between 2004 and 2012” should probably have been deleted well before 2021.

 

What does this mean to me?

Often, sensitive data within an organization is forgotten, but as this breach shows, unauthorized access to it can still cost your company big. It’s important to identify sensitive data throughout the organization and eliminate redundant, obsolete, or trivial (ROT) data. Another helpful configuration is to have record level logging turned on, especially for databases and email. For cloud services this is usually overlooked. Once unauthorized access is confirmed, the organization needs to notify on the entire dataset as they don’t have the forensic detail at the record level to narrow the notification.

 

 

APPROACHES

Helpful Controls

Database/Record level logging

Technology review of monitoring, alerting, and logging solutions (SIEM, EDR, MDR, IPS, Log aggregation, Threat monitoring)

Data Classification

Data Inventory and Retention Policy Sensitive Data Scanning

 

Commonality of attack

High

 

Article on story

DNA testing firm discloses data breach affecting 2.1 million people

 

Outcome 

DNA Diagnostics Assurance of Voluntary Compliance, OH; pg. 7 – DoCRA

 

 

HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, and more that impact your risk management program.

SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING