Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Breach
2016
FTC Fines Vitagene for Deceptive Privacy Practices Involving Public S3 Buckets

FTC Fines Vitagene for Deceptive Privacy Practices Involving Public S3 Buckets

Table of Contents

Incident Details

Vitagene, a consumer DNA sequencing company, received a fine from the FTC due to deceptive privacy practices, which included leaving thousands of customers' health and genetic data in publicly accessible Amazon S3 buckets.

Incident

How Did the Breach Happen?

Vitagene created publicly accessible Amazon S3 buckets without applying basic security safeguards, such as restricting access, encrypting data, logging or monitoring access, or maintaining an inventory for security.

What Data has been Compromised?

The data compromised included health reports for at least 2,383 consumers and raw genetic data (sometimes accompanied by first names) for at least 227 consumers.

Why Did the company's Security Measures Fail?

The company failed to apply uniform safeguards to its data storage. They ignored multiple warnings from Amazon Web Services about the public nature of their buckets, and did not enable access controls or auditing logs that would have allowed them to monitor and protect the sensitive information.

What Immediate Impact Did the Breach Have on the company?

The immediate impact included public exposure of sensitive consumer data, media scrutiny, and a subsequent fine and legal action from the FTC. The company also had to undertake a rebranding effort from Vitagene to 1Health.io.

How could this have been prevented?

The breach could have been prevented by implementing basic security measures recommended for cloud storage such as access restrictions, encryption, activity logging and monitoring, prompt attention to security warnings, and regular security audits.

What have we learned from this data breach?

This breach illustrates the importance of comprehensive security practices, particularly when handling sensitive health and genetic information. It highlights the need for immediate action upon receiving security warnings and the consequences of neglecting data privacy regulations.

Summary of Coverage

The Vitagene data breach, which resulted in the exposure of sensitive health and genetic data of over 2,600 consumers, was due to the company's failure to properly secure their Amazon S3 buckets. Despite warnings from AWS, the company neglected to take necessary precautions, leading to a $75,000 fine and a mandatory overhaul of their privacy practices. The incident underscores the critical need for better security measures and adherence to privacy laws in handling consumer data.

Is your System Free of Underlying Vulnerabilities?
Find Out Now