Gene sequencing giant Illumina has agreed to pay $9.8 million to settle accusations that products provided to the US government were affected by cybersecurity vulnerabilities, the Justice Department announced last week.
Illumina has been accused that between 2016 and 2023 it sold to federal agencies genomic sequencing systems that were affected by vulnerabilities.
The company allegedly also lacked a proper security program and the means to identify and address such vulnerabilities.
The government said Illumina failed to incorporate cybersecurity into the lifecycle of its products, failed to allocate sufficient resources to product security, failed to patch design features introducing vulnerabilities, and falsely claimed that its software adhered to cybersecurity standards.
The cybersecurity agency CISA issued an advisory to notify organizations about vulnerabilities in Illumina products, specifically the Local Run Manager, in 2022. The agency warned at the time that the flaws could be exploited by a remote, unauthenticated attacker to take over the product.
In 2023, both CISA and the FDA issued notifications over vulnerabilities in the Universal Copy Service (UCS) component used by several of Illumina’s genetic sequencing instruments, warning that the security holes could allow remote hacking.
The $9.8 million settlement resolves a lawsuit filed under the whistleblower provisions of the False Claims Act by a former Illumina employee, who will receive $1.9 million of the amount.
SecurityWeek has reached out to the company for comment and will update this article if it responds.
Related: Settlement Reached in Investors’ Lawsuit Against Meta CEO Mark Zuckerberg and Other Company Leaders
Related: Raytheon, Nightwing to Pay $8.4 Million in Settlement Over Cybersecurity Failures
Related: Google Agrees to $1.3 Billion Settlement in Texas Privacy Lawsuits
