Millions of people have had their personal data compromised after hackers breached a database of a DNA testing company that officials at the firm had forgotten even existed, reported Gizmodo on Tuesday.
"A prominent DNA testing firm has settled a pair of lawsuits with the attorney generals of Pennsylvania and Ohio after a 2021 episode that saw cybercriminals steal data on 2.1 million people, including the social security numbers of 45,000 customers from both states," reported Lucas Ropek. "As a result of the lawsuits, the company in question, DNA Diagnostics Center (or DDC), will have to pay out a cumulative $400,000 to both governments and has also agreed to beef up its digital security practices. The company said it didn’t even know it had the data that was stolen because it was stored in an old database."
DDC claims on its website to be the "world leader in private DNA testing," and that its lab director has been involved in a number of famous cases including the O.J. Simpson murder trial.
According to state officials, in May of 2021, DDC's service provider "reached out via automated notification to inform the firm of unusual activity on its network." But DDC did not act until months later, when that provider informed them of evidence their network was infiltrated by Cobalt Strike — a popular penetration-testing tool that is also used by criminals to actually break into compromised systems.
IN OTHER NEWS: Trump supporters tease 'Plan C' to 'reinstate' him to office after Supreme Court denies them again
“Negligence is not an excuse for letting consumer data get stolen,” said Ohio Attorney General Dave Yost, one of the key figures behind the legal action against DDS. As part of the settlement, DDC will be required to implement a series of information security policies, many of which are standard issue for companies to enact in the first place.
Breaches of personal information have targeted millions of people in recent years, as criminal hacking endeavors have moved from small-time viruses against personal computers to targeted attacks on institutions and businesses to either implement ransomware or steal customers' personal information for fraudulent use. One of the most high-profile incidents was the Equifax breach of 2017, when a still-unknown entity penetrated one of the nation's largest private credit-reporting bureaus and obtained critical identifying information about nearly half of the entire U.S. population.