Private DNA dissecting companies such as GEDMatch are popular by offering people the ability to explore their family history and health risks,media Techspot reported. More recently, many of these companies have begun to expand into the forensic genomics market, creating DNA files for law enforcement, but often without a solid cybersecurity strategy to protect users’ data. On July 19th a major security breach prompted the owner of THE DNA analysis service GEDMatch to take the site offline.
After a preliminary investigation, they found a treasure trove of DNA information provided to law enforcement for search (and extended to all other users of the service). The incident exposed no less than 1.3 million DNA records in its database. The company confirmed this on its Facebook page, describing it as a “security vulnerability orchestrated by a sophisticated attack on one of our servers through an existing user account.”
GEDmatch allows users to upload their DNA data to help trace their ancestral trees. Vulnerabilities occur because users can choose to share their data with law enforcement. This would have been a privacy control, as the service was used in 2018 to find the identity of the notorious “Golden State killer.”
In a public statement, the company explained that the breach only resulted in user rights being reset and no actual user data being compromised or downloaded. However, DNA testing company MyHeritage reported Tuesday that its users have been targeted in phishing attacks that may be linked to the GEDMatch incident.
The attackers created a fake website called myheritaqe.com (almost unlike myheritage.com) and used e-mail activities to lure people to the site and get their login information. MyHeritage contacted several people who received the emails and found out that they were all GEDmatch users whose email addresses and names had been compromised.
MyHeritage advises users to set up two-factor authentication, and notes that attackers could soon target other genealogy services such as 23andMe and Ancestry. At the same time, GEDmatch’s website has been shut down until the company is “absolutely certain that user data is protected from potential attacks.” We are working with a cybersecurity company to conduct a comprehensive forensic review and help us implement the best security measures. “
Verogen, the company that owns GEDMatch, said that before the attack, only 280,000 users had chosen to share their data with law enforcement. In Sunday’s leak, others were unwittingly chosen, which could reduce overall trust in genealogy services.
“It’s not just a matter of GEDmatch: the privacy breach of a genetic genealogy database highlights the serious lack of regulatory safeguards for the most sensitive information in the new arena of civil liberties,” Elizabeth Joh, a law professor at the University of California, told TechCrunch. “
While services such as MyHeritage do not share people’s DNA with authorities, other companies are keen to sell it to agencies such as the FBI. Companies like FamilyTreeDNA have further highlighted the problem, opting out of it as a way to prevent false convictions.