ArchiveOODA Original

Strategic Issues With Compromise Of Data From DNA Diagnostics Center’s Genetic Testing Database

As reported in the OODA Daily Pulse, a DNA testing center has admitted to a breach affecting the private information of up to 2 million people.

Details: Ohio-based DNA Diagnostics Center (DDC) recently reported (through a notification letter sent out to those affected) that:

“On August 6, 2021, DNA Diagnostics Center, Inc. (DDC) detected potential unauthorized access to its network, during which there was unauthorized access and acquisition of an archived database that contained personal information collected between 2004 and 2012. The impacted database was associated with a national genetic testing organization system that DDC acquired in 2012. This system has never been used in DDC’s operations and has not been active since 2012.”

If you or someone in your personal network are DDC customers or if your company is a DDC strategic partner or supplier, follow up information and mitigation procedures if you have been impacted by the breach can be found at the  DDC Data Security Incident Information Center – DDC.

DDC is being criticized for disingenuously attempting to deflect responsibility for this breach. But the tech press seems to have not fallen for this as in the last 24 hours technology press outlets such ZDNet, SecurityWeek, and CyberWire have all picked up the story.   One law firm is already putting out feelers for a class action suit. broke the story yesterday, reporting that DDC “has disclosed a hacking incident that affects 2,102,436 persons.  The incident resulted in a confirmed data breach that occurred between May 24, 2021, and July 28, 2021, and the firm concluded its internal investigation on October 29, 2021.

The information that the hackers accessed includes the following:

  • Full names
  • Credit card number + CVV
  • Debit card number + CVV
  • Financial account number
  • Platform account password

The compromised database contained older backups dating between 2004 and 2012, and it’s not linked to the active systems and databases used by DDC today.”

Could This Hack Be Bigger Than Just the Breach of Personal Identifiable Information (PII)?

While the team here at OODA Loop is concerned about the impact of this hack on DDC customers’ data, personal accounts, etc., the story points to larger concerns that are central to our current research efforts.

First of all, we have no indication from reporting that genetic data has been compromised. But we do have indications that the company has acted disingenuously about this, and they clearly do not have a mature security program. Which calls into question whether or not they would even know if genetic data has been compromised in this or other attacks.

The potential for the weaponization of large-scale genomic data, biotechnological datasets, or the acquisition of PPI related to a person’s genome or biotechnology-based information of patients (en mass) through a cyberattack would not only compromise the privacy of individuals, but would compromise the privacy of every relative of those individuals and every descendant of those individuals through eternity.

OODA’s Bob Gourley and Dan Gerstein, in their March 2020 OODAcast conversation, discussed the potential for these types of unintended consequences emerging from biotechnology innovation:

Bob Gourley:  In the context of this current crisis [the Covid-19 Pandemic], does it underscore the importance of all of us thinking through where technology can take us?

Dan Gerstein:   I think we’re in the middle of a technology war and it’s being waged throughout the globe. It’s for having primacy in certain technologies. Some of these are just game-changing.   And I worry today that with capabilities such as biotechnology, that allows us to manipulate the genome with the internet of things, which has crept into our daily lives, and AI. If you see the link-up of these three, we’re liable to see a very changed humanity as we look to the future.

Also, in an October 2020 OODAcast conversation, Rear Admiral Paul Becker noted that “from a Chinese perspective, they are in an information war with the United States right now. They have interim objectives along the way. Information warfare, cyber warfare, media warfare, intimidation, psychological warfare. Any kind of warfare when it comes down to it.”

Of course, DDC has a responsibility to reveal the short-term impacts of the PII breach.  In their letter to impacted customers, DDC suggests that the hackers acquired PII information only, and in a Pollyanna fashion (as reported by Bleepingcomputer) “DDC underlines that no genetic testing data has been exposed due to the data breach incident, as this is stored in a different system.”

They felt the need to assure impacted individuals that the database accessed and acquired during the data security incident was a legacy database that dated back to the 2012 acquisition of a company that is not part of the current  DDC computer networks and was a standalone database. In other words, it was not ‘active data’  or active in any way on the parent company network.  But they are being naive if they do not think this stolen data has long-term strategic value to someone or some entity somewhere in the world.

The Evolving Cyber Threat Vector:  Long Term, Strategic Reconnaissance and Espionage

As recently as yesterday, we reported on some of the annual findings from the UK’s The National Cyber Security Centre (NCSC), a part of Government Communications Headquarters (GCHQ), in which they highlight the type of cyber threat activity they have seen evolve over the last year (which overall has become more professional and strategic in their estimation) and is eerily similar to the cybercriminal behavior described in this recently announced DDC data security incident:

“Organised crime groups spend time conducting in-depth reconnaissance on their targeted victims. They will identify exploitable cyber security weaknesses. They will use spoofing and spearphishing to masquerade as employees to get access to the networks they need. They will look for the business-critical files to encrypt and hold hostage. They may identify embarrassing or sensitive material that they can threaten to leak or sell to others. And they may even research to see if a potential victim’s insurance covers the payment of ransoms.  This process can be painstaking and lengthy, but it means that, when they are ready to deploy, the effect of ransomware on an unprepared business is brutal.”

Consistent with this type of long term, strategic reconnaissance and espionage, it is as simple as this: the passwords which were acquired in the legacy database PII hack may well have been ported over as the access data on the new DDC system, in an effort at ‘ease of use’ for the new customers acquired by DDC in 2012 through M&A. This is a baseline process for most IT managers during a systems integration post-M&A.  The intruders are probably already in DDC’s new company records, including access to genomic and biotechnology datasets.

In our recent analysis of the Office of the Director of National Intelligence (DNI), National Counterintelligence and Security Center (NCSC) October 2021 report, “Protecting Critical and Emerging U.S. Technologies from Foreign Threats,” the NCSC calls this innovation activity “The Bioeconomy” and defines it as economic activity “that is driven by research and innovation in biotechnology and is further enabled by the convergence of the life sciences and data sciences (e.g., informatics, high-performance/quantum computing, and telecommunications).

The NCSC points out societal benefits that include the future of food security, healthcare, climate sustainability, alternative fuels, material science innovation, and innovative new products and platforms for use in daily life.  It is all very promising and exciting.  But this DDC data hack is potentially representative of a type of activity which is part of the larger dystopian narrative which Bob Gourley and Dan Gerstein discussed, Admiral Becker reinforced, the UK’s NCSC 2021 Annual Review most recently formally identified and diagnosed- and the DNI NCSC report elaborates upon eloquently:

“The powerful technologies harnessed by the bioeconomy can lead to national security and economic vulnerabilities. For example, biotechnology can be misused to create virulent pathogens that can target our food supply or even the human population. Genomic technology used to design disease therapies tailored to an individual also can be used to identify genetic vulnerabilities in a population. Large genetic databases that allow people’s ancestry to be revealed and crimes to be solved also can be misused for surveillance and societal repression.”

“During the past decade, moreover, competition in the global bioeconomy has intensified. Foreign nations have stolen critical intellectual property, research, and know-how from the U.S. bioeconomy. And, as a result of some countries’ policies, an asymmetry exists in the way information is shared, whereby the ability of U.S.-based researchers to access and use such information is denied.  Compounding the security challenges is that many existing legal frameworks focus on protecting finished intellectual property or licensed/patented products; whereas large bodies of data – such as patient health records or genetic sequence data – represent long-term, unrealized development of products and applications.”

On behalf of the OODA Loop membership, we will continue to investigate and report on the DDC Hack in the context of these larger cyber  and national security challenges.  Please reach out to us if come across any data points related to this story.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

Daniel Pereira

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.