![]() No threat group has owned up to the attack. The company paid up to have all copied data deleted. Finally, in September, the attacker contacted DDC to extort payment for all the data they had. ![]() They then exfiltrated data from DDC using a decommissioned server. ![]() In the following weeks, the attacker accessed five servers and copied 28 databases. Weeks after, the attacker used a test account with administrator privileges to establish persistence in the now-compromised environment. It's not known how this account ended up in the attacker's hands, but they were able to harvest Active Directory (AD) credentials from a domain controller, a server providing security authentication for users. This triggered the company's incident response plan.Īccording to the investigation, an attacker logged into the old VPN (virtual private network) that DDC used before migrating to a new one using a compromised employee account. Court documents didn't reveal why DDC didn't act on the alerts, but three months after, the same MSP notified DDC again, this time about Cobalt Strike malware activity in its network. In May 2021, one of DDC's MSPs (managed service providers) began sending automated alerts over a two-month period about suspicious activities within its network. But since it was unaware of the unused databases, they were not included during the tests as the assessments focused only on those with active customer data. Moreover, DDC asserts it was not aware that these legacy databases existed in its systems at the time of the Breach-more than nine years after the acquisition."ĭDC said it conducts both inventory assessment and penetration testing on its systems. According to court documents, "the Breach's impacted databases, containing sensitive personal information, were inadvertently transferred to DDC without its knowledge. When DDC acquired Orchid Cellmark, a British company also in the DNA testing industry, as part of its business expansion in 2012, the company didn't know that it also inherited legacy databases that kept personally identifiable information (PII) in plain text form. The company will pay a total fine of $400,000 for Ohio and Pennsylvania-and has promised to tighten its information security. Overall the attack compromised over 2.1 million customers who had undergone genetic testing across the US. DNA Diagnostics Center (DDC), an Ohio-based private DNA testing company, last week reached a settlement deal with the Ohio and Pennsylvania state attorneys general in relation to a 2021 breach that saw the theft of 45,000 residents' personal details. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |