Data Breach at ChoiceDNA Exposes Sensitive Customer Information
In a significant data breach, ChoiceDNA, an Indiana-based provider of genetic DNA testing and facial matching services, has inadvertently exposed approximately 8,000 sensitive records. This incident highlights critical vulnerabilities in data security practices, as it occurred due to the storage of personal biometric images, personal identifiable information (PII), and facial DNA data in an unsecured WordPress folder accessible to the public without any password protection.
The exposed information includes not only customer names, phone numbers, and email addresses, but also racial or ethnic identities along with personal annotations explaining their reasons for seeking facial DNA analysis. Alarmingly, some of the records involved vulnerable individuals, including newborn children, amplifying concerns regarding the potential misuse of this sensitive data. The breach was brought to light by cybersecurity researcher Jeremiah Fowler, who has a history of identifying and reporting database misconfigurations before they can be exploited by malicious actors.
Unlike typical breaches often attributed to malicious hacking or compromised cloud servers, this incident stemmed from a straightforward oversight: an unsecured folder on WordPress. The exposed data resided in a directory titled "Facial Recognition Uploads," which allowed anyone with internet access to view it. The duration for which this directory was publicly accessible remains unknown, further intensifying concerns about potential exploitation of the data.
Fowler’s report, shared with Hackread.com ahead of its publication, underscores the inherent risks associated with collecting and managing biometric data, particularly without explicit user consent. Such data can lead to identity manipulation via advanced technologies like deepfakes. Metadata that accompanied the exposed data included PII, raising the specter of phishing and social engineering threats that can put customers at greater risk.
ChoiceDNA, which offers services including a facial comparison technology dubbed FACE IT DNA, currently has packages priced from $38 to $63. Following the notification by Fowler regarding the breach, the company has since secured the folder in question. However, the incident serves as a stark reminder of the importance of implementing rigorous data protection strategies. WordPress, while a widely used content management system, can pose significant risks if not correctly configured to ensure secure data storage.
For business owners and users alike, it is imperative to adopt proactive measures following any exposure of personal data. This includes changing passwords, avoiding the reuse of passwords across platforms, and configuring accounts with strong, unique passwords paired with two-factor authentication to enhance security. Exercising caution when sharing emails or phone numbers is advisable to mitigate the risks of phishing attempts and to verify the legitimacy of any requests for sensitive personal information.
As the landscape of cybersecurity continues to evolve, this breach exemplifies how critical it is for organizations that handle sensitive data to employ secure storage methodologies. Businesses should remain vigilant, particularly in monitoring their data environments for vulnerabilities that could compromise sensitive personal information. The potential exploitation of such information, categorized under tactics in the MITRE ATT&CK framework, specifically in areas such as initial access and data exfiltration, further underscores the necessity of robust security practices in today’s digital age.
