DNA Testing Firm Breach Demonstrates the Importance of Data Discovery


Being online, while a necessary component of a successful business these days, carries a lot of risks to your data security. Vulnerabilities and exploits are always on the rise. And the vast majority of breaches are caused by human error. If your company goes through a breach. The costs to your finances and your reputation can be devastating. On top of that, information privacy regulations are becoming more strict. But there is not yet a consistent global standard, which can be confusing.

With that in mind, it’s essential to actively manage your security while automating as many things as possible to keep your security team available for the most urgent and complex issues. By prioritizing data discovery and classification, you can make your life a lot easier. Having protocols and automated discovery and classification will isolate your sensitive data. Limit employee access, and pinpoint exactly where your data live in your environment. 


Inside the DNA Diagnostics Center (DDC) Breach

Between May and July 2021, DNA Diagnostics Center (DDC) received multiple notices from its managed services provider that there was suspicious activity in its network. As it turned out, the suspicious activity led to at least 5 servers and 2.1 million people being affected. Approximately 45,000 social security numbers were accessed by the attackers. DDC did not implement its incident response plan until August. Which allowed its consumer data to be exposed far longer than it should have been. 

According to DDC, the reason these data were vulnerable was that they were part of a legacy acquisition from another company. And that company’s database had the personal information stored in plaintext. Insufficient data discovery and classification measures, combined with DDC simply forgetting it had the data. Resulted in the legacy database flying under the radar, and it was not being actively monitored and secured because it did not contain active customer information. However, archived personal information about customers should not have been accessible to attackers. Those customers are now at risk for identity theft.

There were severe consequences for this lapse in privacy protection for the company. DDC voluntarily offered credit score monitoring to the affected individuals, and they were forced to pay their attackers to delete the customers’ personally-identifying information. They paid another $400,000 as part of their settlement with the states of Ohio and Pennsylvania. And the settlement also requires them to invest in improved security.


DNA Breach Enabled by Poor Data Visibility

When a company has hundreds or thousands of customers over a decade or two of operation. Remembering where all of the data are stored and the exact contents of old servers can be a tall order. DDC learned this the hard way when a decommissioned server was used by an attacker to extract data that the company forgot it had. 

Had DDC invested more in data visibility, the breach might have been avoided. Data visibility indicates how easy it is for a company to identify and catalog all of the files in an environment and monitor them for suspicious activity. By improving its ability to accurately assess risk and protect its whole environment. DDC could have prevented the attacker from accessing functionally invisible information. The company also ignored several notifications from its managed services provider, suggesting that although it had resources dedicated to monitoring its data. It did not adequately understand its environment and the data it contained.


Protecting “Forgotten” Data from Breaches

DDC outsourced some of its monitoring, but it failed to respond promptly or appropriately to the alerts it received until after multiple servers had been compromised. Had the company known more about the information it had in its databases. Those alerts might have raised more alarm. Data discovery and classification help companies solve these types of problems by identifying what information is (or should be) private and how users interact with it. 

Once you can see the data and how it is used or accessed. As well as which accounts have access to it and how much access those accounts have, it is much easier to identify suspicious activity. This also enables companies to make policies that cover 100% of their information. Once those policies are in place, everyone has a much better understanding. Of what data they own and can access. And then you can implement automated monitoring to catch atypical access or use. 

The DDC breach was avoidable. Many companies are struggling to keep up with the rising numbers of potential exploits. But if your company doesn’t have data visibility. You greatly increase your risk of an expensive data breach. Organizations should learn from DDC’s example and be sure that all acquisitions and old databases are included in classification and monitoring. While it’s not a guarantee of complete safety. Knowing what data you have. Where you store your data, and what appropriate access to the information looks like will go a long way towards improving your security.

Related Posts