DNA testing center admits to breach affecting SSNs, banking info of more than 2 million people

DNA Diagnostics Center said it discovered the breach on August 6 but noted that hackers had access from May 24 to July 28.
Written by Jonathan Greig, Contributor

A DNA testing company has reported a data breach that leaked the personal information -- including Social Security Numbers and banking information -- of more than 2 million people, according to a notification letter the company is sending out to those affected. 

Bleeping Computer, which first reported the breach, said 2,102,436 people had their information exposed by DNA Diagnostics Center, an Ohio-based DNA testing company. 

In a notice shared on the company's website, DNA Diagnostics Center said that on August 6, officials with the company discovered "potential unauthorized access to its network, during which there was unauthorized access and acquisition of an archived database that contained personal information collected between 2004 and 2012."

Further investigation revealed that hackers had removed files and folders from portions of the database between May 24 and July 28. 

"The impacted database was associated with a national genetic testing organization system that DDC acquired in 2012. This system has never been used in DDC's operations and has not been active since 2012. Therefore, impacts from this incident are not associated with DDC. However, impacted individuals may have had their information, such as Social Security number or payment information, impacted as a result," the company said in a statement. 

"Upon learning of this issue, DDC proactively contained and secured the threat and executed a prompt and thorough investigation in consultation with third-party cybersecurity professionals. DDC has also coordinated closely with law enforcement following the discovery of this incident. Our investigation determined that the unauthorized individual(s) potentially removed certain files and folders from portions of our database between May 24, 2021, and July 28, 2021. DDC has been and remains fully operational, and the systems and databases that are actively used by DDC were not infiltrated. The in-depth investigation concluded on October 29, 2021, and DDC has begun notifying individuals potentially affected by this incident."

DDC added that the archived system was never used directly by the company and that anyone whose personal information was accessed is being offered Experian credit monitoring. 

They noted that if you were forced to get a relationship DNA test as a part of court proceedings or got independent, individual testing between 2004 and 2012 but have not received a mailed letter from DDC, you should call 1-855-604-1656 for more information.

DDC claimed it is working with cybersecurity experts to "regain possession" of the stolen information but is recommending anyone who thinks their information may be involved to put in place a 1-year "fraud alert" on their credit files. 

DDC did not respond to requests for comment but noted that it conducts more than one million DNA tests each year. 

Chris Clements, a vice president at Cerberus Sentinel, criticized DDC for "disingenuously attempting to deflect responsibility for the breach" due to their comments about the system not being associated with their company directly. 

"It doesn't matter what organization 'started' with the data; once you acquire it, it becomes your responsibility. I might be more forgiving if the data was only recently obtained by DDC, but by now, they've had it nearly a decade," Clements said. 

"If you aren't aware a given asset exists, you can't begin to secure it properly. A second observation is an almost three-month delay between the beginning of the breach and the first detection. DDC has not revealed what triggered the realization that they had suffered a cyberattack. Still, most organizations discover a compromise has occurred only when contacted by a third party such as security researchers that have traced a stolen dataset on the dark web back to their company or when contacted by the threat actor themselves with extortion demands."

Editorial standards