DNA-testing service left thousands of customers' records vulnerable online for years

DNA-testing service Vitagene shut down external access to more than 3,000 user files that were left exposed online for years, according to Bloomberg.

Vitagene had made the files accessible to the public on Amazon Web Services cloud-based computer serves until it was notified of the issue on July 1. Genealogy reports include customers' names, birth dates and gene-based health information.

The 3,000 exposed files were from when the company was in "beta" testing between 2015 and 2017.

"We immediately opened an investigation and blocked access to the files," company CEO Mehdi Maghsoodnia told Bloomberg in an email. "We updated our security protocols in 2018 and have engaged an outside security firm to run external and internal penetration testing across our applications. As a team we acknowledge our mistake and will keep ourselves accountable. We hope over time to prove that we are worthy of the trust that is given to use every day."

Around 300 files contained clients' DNA data in blocks of code accessible to public viewing. While the information could only be understood by someone familiar with human genomes, a third of the data was coupled with users' first names, reports Bloomberg.

Vitagene previously openly stored 4,186 files within one collection on an AWS server. Additionally, the company left 1,401 user files in a less-secure setting that can be accessed by employees without authorization, Bloomberg reports.

Customers' results and DNA samples are stored without names or any other common identity information, the company said.

Vitagene has not contacted clients about the incident. The company plans to begin alerting customers after going through all the files that were exposed. 

More articles on cybersecurity:
Hospital CFOs are stepping into cybersecurity roles
US warns against Microsoft Outlook vulnerability
Smaller health systems struggle to follow cybersecurity best practices

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.