Incident Of The Week: DNA-Testing Company Veritas Genetics Discloses Unauthorized Access Of Customer Data

Customer Portal Separate From DNA Test And Health Data

Jeff Orr

Genomics Security

Personal data comes in many forms. We associate our name, physical address and birthdate among other examples of personally identifiable information (PII). Our digital society has increased the range of data to include user credentials, email address, facial images and fingerprints. When identity theft occurs, replacement credentials can often be obtained except when it comes to biometric data like fingerprints.

Sensitive information can also take the form of electronic medical records, and more recently, the ability to test DNA. Advances in genomics research allow individuals to submit a test kit for analysis and insight into a myriad of genetic conditions.

See Related: Incident Of The Week: Passwords And Biometrics Info For One Million Users Exposed In Biostar 2 Data Breach

Veritas Genetics Discloses Unauthorized Access Of Customer Data

The DNA testing company Veritas Genetics recently disclosed that a customer-facing portal had been accessed by an unauthorized user, according to a report by Bloomberg. The startup says that the portal did not contain personal health records, DNA test results or genomic data, which were housed on a separate system.

Little information beyond the breach disclosure is known. Veritas said that only a handful of customers were potentially impacted by the breach and it will notify everyone affected. The potential compromise of health-related data comes with a specific set of disclosures and notifications.

See Related: Incident Of The Week: State Farm Insurance Discloses Recent Credential Stuffing Attack

Growth In DNA Testing Industry Creates Significant Personal Data

Veritas is a newer name in the DNA-testing ecosystem alongside brands 23andMe Inc. and LLC. The startup sequences all genes of a human genome, which creates a significantly greater amount of information than its competitors. In July, Veritas announced it had sequenced 5,000 human genomes and predicted that 1 million whole genome sequences will occur in 2021. More than 26 million people have used home DNA tests, according to an MIT Technology Review article.

Some DNA testing provides insight into family origin and immigration patterns while others analyze genes that are associated with health conditions and traits likely to be passed down to future generations. The role of most human genes, however, remains unclear.

Sequencing of a whole genome generates data for 6.4 billion variances. The amassed data could be disclosed by a bad actor causing irreparable harm to individuals. Celebrities, politicians and individuals with incurable diseases, for example, could become public knowledge.

Incident Response And Remediation

The company said that an investigation into the breach has been initiated, the cause of the incident has been remediated and that cyber security experts were brought in to consult with the organization.

Data privacy concerns are amplified in situations where PII is at risk of exposure. Industries have not shown the ability to self-regulate, which has led to legislation. The member states of the European Union (EU) enacted privacy laws in May 2018. California’s CCPA law goes into effect January 2020 and several additional states and multiple federal bills have been drafted to protect PII and penalize offenders.

Prepare For The Unknown

A cyber security incident cannot be predicted given the broad variety of threat vectors, but organizations can prepare for the unknown. Where could an attack originate and what data is at risk? One thing Veritas did was recognize that PII should be stored separately from the customer-facing portal. Creating this type of logical and physical separation assists in mitigating the amount and type of data exposed when an attack occurs.

See Related: Top 8 Industries Reporting Data Breaches In The First Half Of 2019