“Since 1995, our clients have entrusted us with more than 20 million DNA tests performed.” This is the first DNA Diagnostic Center (DDC) to post on its website. However, the American company somewhat betrayed this trust by allowing hackers to infiltrate its network.
In May 2021, DDC was the victim of a computer attack using Cobalt Strike software, a cybersecurity software that, once hijacked, can become a Trojan horse capable of infiltrating and infecting computers. An attack that could have been prevented if the company had listened to the warnings of one of its service providers.
Data retained unknowingly
A few weeks earlier, the presence of Cobalt Strike had been notified to the DNA Diagnostic Center by the company responsible for monitoring the company’s data. Multiple email warnings that DCC ignored for an unknown reason.
This negligence thus allowed hackers to easily access the group’s databases, collecting the personal information of 2.1 million people who underwent a test between 2004 and 2012, mainly in Pennsylvania and Ohio.
To justify itself, DNA Diagnostics Center claimed ignorance of the possession of these data. In fact, the information collected typically belonged to Orchid Cellmark, a forensic medicine company acquired by DCC in 2012. The data had been transferred in error, at the same time as the company’s acquisition, without DCC being aware that there was this information. information on their servers.
$400,000 fine
This is then the double penalty for DCC which, in addition to having to pay the ransom demanded by the hackers, was brought to justice by prosecutors in Pennsylvania and Ohio for this leak of highly sensitive data. The names, social security numbers and bank details of the customers were effectively stolen.
The two US states requested a fine of $200,000 each, resulting in a total fine of $400,000 for the DNA Diagnostic Center. The company announced that it would strengthen its security resources and conduct annual evaluations to verify their effectiveness.
Source: BFM TV
