back to article DNA testing biz vows to improve infosec after criminals break into database it forgot it had

A DNA diagnostics company will pay $400,000 and tighten its security in the wake of a 2021 attack where criminals broke into its network and swiped personal data on over two million people from a nine-year-old "legacy" database the company forgot it had. The genetic testing firm, DNA Diagnostics Center (DDC) reached a …

  1. Martin Gregorie

    Enquiring minds want to know...

    Since the stolen data was originally gathered by Orchid Cellmark, does this count as an orchidectomy?

    1. trindflo Silver badge

      Re: Enquiring minds want to know...

      It's certainly bollixed up

  2. Mayday
    Thumb Down

    Let me guess

    "We take security very seriously and we are sorry"

    Yeah thanks, now DNA, arguably the most private personal information of all, is all over the internet/stolen for all to see. One of the 500 reasons I'd never give my DNA to some private company. Blows my mind when people send a swab off to check their ethnicity makeups or the like.

    1. IGotOut Silver badge

      Re: Let me guess

      " swab off to check their ethnicity makeups or the like."

      Which is complete and utter bollocks anyway.

      It for sad people who desperately cling to some meaningless strand of history to attempt to make their lives more "interesting"

      Yes, looking at you in the state's claiming a great, great grandparent once had a dirty weekend in Dublin, so that makes you part Irish

  3. Anonymous Coward
    Anonymous Coward

    "criminals break into database it forgot it had"

    Here we see what happens when you cheap out and/or outsource your IT from in house, if you ever had a proper IT team in the first place. Devs are wonderfully creative people but most don't care for operational requirements, if root/admin gets the job done to run something then so be it, no time to faff around with user privs stuff, that's an ops dept job. Then you get a service company who barely gives a monkey's 'cos they get their money alreadt and you're just another customer. ( Trust me I've worked in a very large outsourcer and you're told to do bare minimum to cover contract requirements. ).

    So you don't have anyone watching your kit and your data and next thing stuff just slips through the cracks and some naughty boys and girls will have fun with your stuff!

  4. Mr Dogshit
    Headmaster

    There is no such verb as "to ink"

    1. Joe W Silver badge

      Calvin: "Verbing weirds language"...

    2. ChoHag Silver badge

      etymonline.com suggests ink has been in use as a verb since the 16th century and 200 years before the the printing press came about to take it over.

      Catch up, grandad.

      Also your icon is wrong.

    3. A. Coatsworth Silver badge
      Headmaster

      The Merriam-Webster's dictionary says you are wrong, and records the first usage in 1562.

      And, if that reference is too US-centric for you, so says Cambridge's

  5. Doctor Syntax Silver badge
    Facepalm

    Less than 20c per data subject!.

    If you're going to let them off that cheaply the settlement should at least include a requirement that any public statements about their data security be honest and accurate: "We didn't care enough about customer data enough to secure it."

    But these breaches will continue until fines are big enough to bring a few companies down. Only then will manglement think security and IT expertise are worth spending money on.

    1. Anonymous Coward
      Anonymous Coward

      I'm thinking $1000 given to each data subject, plus being liable for any identity theft occurring within a year from the leak.

      Moral of the story - don't collect sensitive data (like social security numbers) in the first place!

      1. Bruce Ordway

        Just don't provide sensitive data (like social security numbers)

        It is common in the US for businesses to ask for your social security number.

        I always refuse to provide my SSN a real requirement is verified.

        I find 9 times out of 10 they are "just asking" and for no legitimate reason.

        EXCEPT in my state it is now required by the Motor Vehicle Department (in my state at least).

        I'm not sure when this became state law. I only know the last time I renewed my drivers license I did finally have to give them my SSN.

  6. Daedalus

    SSN isn't just a nuclear submarine

    Elephant in the room: what was Cellmark doing with Social Security Numbers in the first place? There is no legitimate need for them outside of employment and banking. Unless Cellmark were coordinating with govt. databases, they should not have been requiring clients to submit them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like