DNA Diagnostics Center (DDC) is one of the largest private DNA-testing companies. It offers diagnostic and genetic tests to help answer relationship, fertility, and health and wellness questions.
The testing company concluded its internal investigation on October 29, 2021, concerning an incident that disclosed a data breach between May 24, 2021, and July 28, 2021, and affected around 2,102,436 persons.
The information that the hackers stole includes the following:
- Full names
- Credit card number + CVV
- Debit card number + CVV
- Financial account number
- Platform account password
The stolen data also contained older backups between 2004 and 2012, but they are not linked to any active systems that DDC uses today.
DNA testing firm discloses data breach affecting 2.1 million people – @billtoulashttps://t.co/tqLnuj8gJz
— BleepingComputer (@BleepinComputer) November 30, 2021
In a notice shared on the company’s website, DNA Diagnostics Center said:
The impacted database was associated with a national genetic testing organization system that DDC acquired in 2012. This system has never been used in DDC’s operations and has not been active since 2012. Therefore, impacts from this incident are not associated with DDC. However, impacted individuals may have had their information, such as Social Security number or payment information, impacted as a result.
For their full statement, you can refer to the notification shared by Data Security Incident Information Center (DSIIC).
DDC has taken several steps in coordination with various cybersecurity experts to reacquire ownership of personal information and guarantee its protection. Currently, DDC is not informed of any reports of identity fraud or inappropriate use of the data.
Moreover, they are also offering free credit monitoring for impacted individuals to protect against identity fraud. According to DDC:
Chris Clements, a vice president at Cerberus Sentinel, while reprimanding DDC, said the following:
It doesn’t matter what organization ‘started’ with the data, once you acquire it, it becomes your responsibility. I might be more forgiving if the data was only recently obtained by DDC, but by now they’ve had it nearly a decade.
He further goes on to criticize DDC for not properly securing the data, the three-month delay between the start of the breach and first detection, and not revealing the reason that caused them to realize the cyberattack in the first place.
DCC says that no genetic testing data has been compromised as it is stored on a different system. So far, there have been no reports of fraud, but individuals are advised to remain vigilant. Make sure to check your bank statement and account to identify any suspicious activity.