On July 19, family history enthusiasts who used THE GEDmatch website to upload DNA information and search for relatives to fill out a family tree received an unpleasant message,media BuzzFeed News reported. Suddenly, more than a million pieces of DNA that had been hidden were used by police to find information that matched the DNA portion of the crime scene for police search.
The news undermines efforts to acquire Verogen, the forensic genetics company that acquired GEDMatch, in December, to convince users that it will protect their privacy while pursuing a business based on the use of genetic lineages to help solve violent crime.
The second alert came on July 21, when MyHeritage, an Israeli-based genealogy website, announced that some of its users had been hit by phishing attacks to obtain their login information on the site – apparently at the email address it had obtained when GEDMatch was attacked two days earlier.
In a statement emailed to BuzzFeed News and posted on Facebook, Verogen explained that the discovery of the INFORMATION hidden by law enforcement was “planned through a sophisticated attack on one of our servers through an existing user account.”
“Because of this vulnerability, all users’ permissions are reset so that all users can see all the files. This situation lasted about three hours,” the statement said. “During this period, users who did not choose to participate in law enforcement matching could make a law enforcement match, whereas all law enforcement files were visible to GEDMatch users.”
In April 2018, an investigation broke out on the genetic genealogy following the arrest of Joseph James DeAngelo, the alleged Golden State killer. DeAngelo pleaded guilty last month to 13 murders and dozens of other crimes. DNA found by investigators at the scene of a 1980 double murder partially matched information on GEDmatch that belonged to the killer’s distant relatives. Through painstaking research, they established a family lineage that eventually came together with DeAngelo.
Since then, dozens of people suspected of murder and rape have been identified in a similar manner. But this has caused a lot of disagreement in the genealogy world. While some genealogists are now cooperating with the police, others believe that genetic privacy has been compromised.
GeDmatch’s solution is that users must explicitly choose to be searched by law enforcement after the site’s rules were influenced by a less serious violent attack. According to Verogen, about 280,000 of the 1.45 million data before the hack was selected. Sunday’s loophole changed the setting, leaving 1.45 million DNA files searched by law enforcement.
Genealogists on both sides of the debate told BuzzFeed News that they worry that the new security breach will prevent people from putting their DNA files online — hurting both the online genealogy community and efforts to resolve cold cases. “It’s a whole new bad situation,” Leah Larkin, a family genealogist in Livermore, California, an outspoken gene privacy advocate, told BuzzFeed News.
“In the long run, it’s not a good thing if people decide that they have less confidence in GEDMatch and that more personal data is deleted,” CeCe Moore, chief genealogist at Parabon NanoLabs, a company that works with police to tackle violent crime, told BuzzFeed News.
It was not immediately clear if any unauthorized information had been searched by law enforcement. However, Moore told BuzzFeed News that her team was responsible for most of the identification of suspects through genetic lineages so far, when they were offline. “We don’t see anything we shouldn’t see,” she says. “
GeDmatch’s normal service was briefly restored after the initial hack, but on July 20, Moore noticed that the rights to all files had been changed, this time to block law enforcement searches throughout the database, but to make the files marked “research” visible, which should have been hidden in all searches.
The site was quickly taken offline and replaced with a message. “The gedmatch website has been shut down for maintenance and there is currently no ETA.”
“We are working with a cybersecurity company to conduct a comprehensive forensic review and help us implement the best security measures.” Verogen said in a statement issued after the second incident.
The leak was an embarrassment for Verogen, which users hoped would bring a more professional approach to genetic privacy when verogen bought the site seven months ago. Prior to Verogen, GEDMatch was founded and operated by two amateur genealogists, Curtis Rogers and John Olson. However, the company’s statement reassured users that “no user data has been downloaded or disclosed.”
That conclusion was questioned on July 21when family history site MyHeritage warned its customers that those with GEDMatch accounts had been targeted by a phishing email that sent them to a fake login page with the domain name myheritaqe.com, which replaced the “g” in MyHeritage with “q” – to obtain their username and password.
“Because OF THE DATA BREACH THAT GEDMATCH SUFFERED TWO DAYS AGO, WE SUSPECT THAT THE PERPETRATORS OBTAINED THEIR EMAIL ADDRESSES AND NAMES IN THIS WAY IN ORDER TO COMMIT THIS ABUSE,” MYHERITAGE SAID IN A BLOG POST.
“We found that 16 of them had been victims of the site and entered their passwords in them. So far, that number may be higher. We tried to contact these users separately, warn them to change their passwords again, and set up two-factor authentication on MyHeritage. The company said.
Unlike GEDMatch, MyHeritage does not allow its database sourcing it from being used by the police. But there is no evidence that the hackers were carried out by the police, who are trying to subvert restrictions on law enforcement searches. The motive for the hack is unclear.