Protect Your Data and Reputation: How Confidence in Data Stewardship Breaks Down

May 20, 2025

As technology has become more ubiquitous and blurs the lines between the physical world and the digital world, your digital persona becomes more infused with your physical attributes. The way that cookies monitor your behavior as you physically go grocery shopping pairs with your digital window-shopping last night to provide “more relevant” content in your email and social media feeds. Fingerprint phone access and face scanning for unlocking have moved from the silver screen to our pockets.

The pervasiveness of our biology for interacting with technology means that it needs to be quantified as data and that data is beginning to be used for more than we thought possible. Companies have begun to use this collection of data to better understand their customer base and angle it to enhance profitability. This blog will be a case study that looks at the lifecycle of the data aggregated by a biotechnology company and the best practices that consumers can take away from it.

How Personal Biotechnology Services Work

Advances in genomics and medical studies have shown correlations to probable behaviors, lifespans, health outcomes, vices, etc. based on our genes. In response, biotechnology and genomics companies began to provide direct access to their genetic information, aiming to revolutionize insights into personal health and ancestry. These consumer-facing genetic testing kits allow for users to have their DNA sequenced to gain additional insights into their genetics and ancestry. Using a cheek swab, these labs would process the samples and the whole genome would be sequenced and stored in their database.

Image

Figure 1: Initial customer provided genomic data

Beyond genetic information, some companies have an option for customers to anonymously provide their genomic data for further research. For one company, a large percentage of the approximately 15 million users had opted their data into these programs.

Additional offerings, including the ability to link DNA to other users in their database for relative matches became a core piece of a data breach which we will look at later in this blog.

Since these organizations do not have the same classification as other medical institutions, they do not have the same obligations to HIPPA compliance for this data. The House Committee on Energy and Commerce is investigating how bankruptcy of a breached organization will affect user’s data and what protections need to be placed on them. Questions like: Who really owns that data? Did users unknowingly sign away their rights in the fine print?  And most importantly, who’s ultimately accountable when things go south? For one company, these risks became a reality.

The Data Breach

In addition to genetic and health-related information, these biotech companies have names, locations and birthdays in their profiles. Genetic tree mappings can be used to learn more about genetic adjacent individuals if the linked functionality exists allowing for exponential increase in data exfiltration through scraping. For one company, approximately 7 million users’ data was leaked and listed for sale on the dark web.

This breach happened through what’s known as credential stuffing attack. It’s not a sophisticated technique, just effective. Attackers used stolen usernames and passwords from other breaches, betting that many people reuse the same login across multiple sites. They were right. Without stronger security layers like multifactor authentication or behavior-based monitoring, it was easy to slip through unnoticed. This wasn’t about breaking through a high-tech firewall, it was about taking advantage of weak identity controls. The real failure wasn’t just in stopping the attack, it was in not being ready for a tactic that’s become very common.

Fallout

The result? Loss of trust, lawsuits and financial damage.  But this wasn’t just a security failure. It pointed to something bigger: a breakdown in oversight, risk management and overall strategy. In some cases, the data sets were classified based on vulnerable ethnic minorities which could lead to increased risk exposure for those groups.

In cases like this, allegations can be made for a failure to safeguard customer data, violation of consumer protection and privacy laws and breach of contract negligence. Demands can be made for monetary damages, credit monitoring services and improved data security practices.

Also, one of the main drivers of these companies is their ability to connect other medical firms or pharmaceuticals to their detailed datasets. If these become public, then a large part of their business and revenue will be erased.

Post-Mortem and Best Practices

So, what should users do now with this understanding?

First, if you have an account with a biotechnology or DNA testing company, download your data offline before deleting it from being stored in your online account. If your data has been leaked as part of a breach, ensure you are also requesting to have your genetic material destroyed and revoke any research or product consents, ensuring your data is not being used in future research. Secondly, revise the current credential management process. Basic safeguards like access control, identity checks, and anomaly detection aren’t optional anymore. And just don’t write an incident response plan, test it. When a crisis hits, time is limited. A security partner can help turn these plans into action. Because in the age of cyber-attack, it’s not matter of IF but when, so preplanning and preparation with a security partner like Optiv is paramount. 

Conclusion

Examples of breaches like these should be a wakeup call, not just for biotech firms or tech companies, but for anyone handling sensitive data. Today’s consumers are more informed, more cautious, and far less forgiving.  This is a situation where having a cybersecurity partner regularly vet your systems could’ve made a real difference.

Optiv partners with companies to create and rehearse incident response plans so they’re not figuring it out in real time. In this space, delays don’t just cost money. They cost reputation. The incident was a credential stuffing attack emphasizing a failure in access governance and user identity verification. Optiv’s services such as Zero Trust architecture implementation, continuous identity analytics and behavior-based anomaly detection using AI are designed to counteract such threats. It’s about understanding user behavior, flagging strange activity and using AI to monitor for suspicious signs and activity. Having a cybersecurity partner ensures companies are resilient to unauthorized access attempts and prepare to detect the threats before they escalate.

Let’s look at some of the Optiv’s solutions and see how they could’ve been helpful in a scenario like this. Identity modernization would have monitored the access making sure only verified user can interact with the data and preventing credential stuffing attack. Detection and response could’ve added a later of monitoring and triggering early intervention. Data protection would’ve gone beyond encryption and would’ve monitored the data and any unauthorized access.

In addition, implementation of AI services, such as real-time threat detection, could've monitored the data while identifying unusual patterns such as surge in login attempts which is an indication of credential stuffing attack.

Cybersecurity is a leadership priority. It’s tied directly to trust, to business continuity, and in some cases, survival. The companies that invest early and partner wisely are the ones that will still be standing when the next breach hits the headlines.

Reach out to Optiv to learn more about how to take an effective, proactive approach to minimizing cyber risk and protecting your organization against a data loss incident.