DNA Diagnostics Center (DDC), an Ohio-based DNA testing company, has disclosed a hacking incident that affects 2,102,436 persons.
The incident resulted in a confirmed data breach that occurred between May 24, 2021, and July 28, 2021, and the firm concluded its internal investigation on October 29, 2021.
The information that the hackers accessed includes the following:
- Full names
- Credit card number + CVV
- Debit card number + CVV
- Financial account number
- Platform account password
The compromised database contained older backups dating between 2004 and 2012, and it’s not linked to the active systems and databases used by DDC today.
“The impacted database was associated with a national genetic testing organization that DDC has never used in its operations and has not been active since 2012.” reads the notice.
“DDC acquired certain assets from this national genetic testing organization in 2012 that included certain personal information, and therefore, impacts from this incident are not associated with DDC.”
DDC is working with external cyber-security experts to regain possession of the stolen files and ensure that the threat actor won’t propagate them further. So far, there have been no reports of fraud or improper use of the stolen details.
The affected individuals will receive a notification letter and instructions on enrolling for one year of free credit monitoring and identity theft protection services through Experian.
The recipients of these notices are advised to remain vigilant against frauds and monitor their bank account statements frequently to identify and report suspicious activity immediately.
DDC underlines that no genetic testing data has been exposed due to the data breach incident, as this is stored in a different system.
The company offers paternity, DNA relationship, fertility, COVID-19, ancestry, and testing for immigration purposes, so they are holding very sensitive data.
According to the notice though, nothing relevant to these services has been compromised.
We have reached out to DCC to request more details about the nature and impact of the hacking incident, and we will update this piece as soon as we have a response.
Comments
Wh1t3Ryn0 - 2 years ago
Instead of some crappy Experian (who gets breached) for one year, these companies need to get roasted. From now on you pay, $10,000 to each person you lost their data.....this will stop this lackadaisical security practices, not some stupid "1 year of crappy protection"
Some-Other-Guy - 2 years ago
Add another $10,000 per person when these Companies give your data away or sell it to a 3rd party
Why should anyone pay for their own DNA info, when these Companies just turn around and give it away, sell it, or lose it to others
mc1618 - 2 years ago
Why were they storing CVV?
k2sno - 2 years ago
mc1618 - PCI DSS Requirement 3.2 didn't come out until 2016... the records stolen were from 2004 to 2012, on a server from a company that DDC acquired... so the original company that stored the CVVs was not wrong. However DDC should have removed the credit card and CVV numbers to comply with 3.2 and later. The funny thing is, all the data was expired by the time it was stolen... so this is a non-newsworthy story. If the hackers used the old server/database to then laterally move to newer servers and steal active CC data, this would be a relevent story