The DNA testing lab said it was not even aware that the legacy databases existed in its systems at the time of the breach. Credit: AVNphotolab / Ivanastar / Getty Images DNA Diagnostics Center, a DNA testing company, will pay a penalty of $400,000 to the attorneys general of Pennsylvania and Ohio for a data breach in 2021 that affected 2.1 million individuals nationwide, according to a settlement deal with the states’ attorneys general. The company will also be required to implement improvements to its data security, including updating the asset inventory of its entire network and disabling or removing any assets identified that are not necessary for any legitimate business purpose.Founded in 1995, DNA Diagnostic Center is a private DNA-testing company that offers diagnostic and genetic tests to help answer relationship, fertility, and health and wellness questions. The forgotten legacy dataDNA Diagnostics Center’s hacking incident involved legacy data from Orchid Cellmark, which the company had acquired in 2012 to expand its business portfolio. “Specifically, the breach involved databases that were not used for any business purpose, but were provided to DNA Diagnostic Center as part of a 2012 acquisition of Orchid Cellmark,” the settlement agreement said. DNA Diagnostic Center claimed that the breach impacted databases containing sensitive personal information, and that the data was accidentally transferred to the company without its knowledge. “DDC asserts it was not aware that these legacy databases existed in its systems at the time of the Breach — more than nine years after the acquisition,” the settlement agreement noted. “Negligence is not an excuse for letting consumer data get stolen,” Ohio Attorney General Dave Yost said in a statement. The stolen data was collected between 2004 and 2012. The joint investigation by Ohio and Pennsylvania found DNA Diagnostics Center made unfair and deceptive statements about its cybersecurity and failed to employ reasonable measures to detect and prevent a data breach, exposing its consumers to harm. The breach exposed the social security numbers and other personal data of about 33,300 consumers in Ohio, and about 12,600 in Pennsylvania. DNA Diagnostics Center will pay a $200,000 HIPAA fine to Ohio and a $200,000 HIPAA penalty to Pennsylvania.A two-month delay in actionDNA Diagnostic Center was alerted of suspicious activity by its third-party data breach monitoring vendor but the alerts were overlooked by the company. “The contractor repeatedly attempted to notify DNA Diagnostics through email, but company employees overlooked the emails for over two months,” the settlement agreement said.During this time period, the attackers installed Cobalt Strike malware in the company’s network and extracted data. Investigations revealed that the threat actor logged into a virtual private network on May 24, 2021 using a DNA Diagnostic Center user account and harvested active directory credentials from a domain controller that provided password information for each account in the network. The settlement agreement also noted that when the threat actor initially accessed the VPN, DNA Diagnostic Center had migrated to a different VPN and no users should have been using the VPN the threat actor used for remote access. On June 16, 2021, the threat actor used a test account that had administrator privileges to create a persistence mechanism that executed Cobalt Strike throughout the environment.Between July 7, 2021, and July 28, 2021, the threat actor accessed five servers and collectively backed up a total of 28 databases from the servers using a decommissioned server. In September 2021, the threat actor contacted the company and demanded payment. The company made the payment to the hacker in exchange for the deletion of stolen data, the settlement agreement noted. Terms of settlementThe settlement requires DNA Diagnostics Center to maintain reasonable security policies designed to protect consumer personal information. It also requires the lab to designate an employee to coordinate and supervise its information security program. The DNA testing company will also have to conduct security risk assessments of its networks that store personal information annually, maintain an updated asset inventory of the entire network and disable or remove any assets identified that are not necessary for any legitimate business purpose. The company will have to design and implement reasonable security measures for the protection and storing of personal information, including timely software updates, penetration-testing of its networks, and implementation of reasonable access controls such as multi-factor authentication, and detect and respond to suspicious network activity within its network within reasonable means, the settlement statement added. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe