Incident Details
Vitagene, a consumer DNA sequencing company, received a fine from the FTC due to deceptive privacy practices, which included leaving thousands of customers' health and genetic data in publicly accessible Amazon S3 buckets.
Incident
How Did the Breach Happen?
Vitagene created publicly accessible Amazon S3 buckets without applying basic security safeguards, such as restricting access, encrypting data, logging or monitoring access, or maintaining an inventory for security.
What Data has been Compromised?
The data compromised included health reports for at least 2,383 consumers and raw genetic data (sometimes accompanied by first names) for at least 227 consumers.
Why Did the company's Security Measures Fail?
The company failed to apply uniform safeguards to its data storage. They ignored multiple warnings from Amazon Web Services about the public nature of their buckets, and did not enable access controls or auditing logs that would have allowed them to monitor and protect the sensitive information.
What Immediate Impact Did the Breach Have on the company?
The immediate impact included public exposure of sensitive consumer data, media scrutiny, and a subsequent fine and legal action from the FTC. The company also had to undertake a rebranding effort from Vitagene to 1Health.io.
How could this have been prevented?
The breach could have been prevented by implementing basic security measures recommended for cloud storage such as access restrictions, encryption, activity logging and monitoring, prompt attention to security warnings, and regular security audits.
What have we learned from this data breach?
This breach illustrates the importance of comprehensive security practices, particularly when handling sensitive health and genetic information. It highlights the need for immediate action upon receiving security warnings and the consequences of neglecting data privacy regulations.
Summary of Coverage
The Vitagene data breach, which resulted in the exposure of sensitive health and genetic data of over 2,600 consumers, was due to the company's failure to properly secure their Amazon S3 buckets. Despite warnings from AWS, the company neglected to take necessary precautions, leading to a $75,000 fine and a mandatory overhaul of their privacy practices. The incident underscores the critical need for better security measures and adherence to privacy laws in handling consumer data.