The settlement requires DNA Diagnostics Center to maintain reasonable security policies designed to protect consumer personal information. The company made the payment to the hacker in exchange for the deletion of stolen data, the settlement agreement noted. In September 2021, the threat actor contacted the company and demanded payment. On June 16, 2021, the threat actor used a test account that had administrator privileges to create a persistence mechanism that executed Cobalt Strike throughout the environment.īetween July 7, 2021, and July 28, 2021, the threat actor accessed five servers and collectively backed up a total of 28 databases from the servers using a decommissioned server. The settlement agreement also noted that when the threat actor initially accessed the VPN, DNA Diagnostic Center had migrated to a different VPN and no users should have been using the VPN the threat actor used for remote access. Investigations revealed that the threat actor logged into a virtual private network on using a DNA Diagnostic Center user account and harvested active directory credentials from a domain controller that provided password information for each account in the network. “The contractor repeatedly attempted to notify DNA Diagnostics through email, but company employees overlooked the emails for over two months,” the settlement agreement said.ĭuring this time period, the attackers installed Cobalt Strike malware in the company’s network and extracted data. A two-month delay in actionĭNA Diagnostic Center was alerted of suspicious activity by its third-party data breach monitoring vendor but the alerts were overlooked by the company. DNA Diagnostics Center will pay a $200,000 HIPAA fine to Ohio and a $200,000 HIPAA penalty to Pennsylvania. The breach exposed the social security numbers and other personal data of about 33,300 consumers in Ohio, and about 12,600 in Pennsylvania. The joint investigation by Ohio and Pennsylvania found DNA Diagnostics Center made unfair and deceptive statements about its cybersecurity and failed to employ reasonable measures to detect and prevent a data breach, exposing its consumers to harm. The stolen data was collected between 20. “Negligence is not an excuse for letting consumer data get stolen,” Ohio Attorney General Dave Yost said in a statement. “DDC asserts it was not aware that these legacy databases existed in its systems at the time of the Breach - more than nine years after the acquisition,” the settlement agreement noted. “Specifically, the breach involved databases that were not used for any business purpose, but were provided to DNA Diagnostic Center as part of a 2012 acquisition of Orchid Cellmark,” the settlement agreement said.ĭNA Diagnostic Center claimed that the breach impacted databases containing sensitive personal information, and that the data was accidentally transferred to the company without its knowledge. DNA Diagnostics Center’s hacking incident involved legacy data from Orchid Cellmark, which the company had acquired in 2012 to expand its business portfolio.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |