DNA analysis service GEDmatch suffers breach exposing 1.3 million DNA profiles

nanoguy

Posts: 1,355   +27
Staff member
Why it matters: Private DNA profiling companies like GEDmatch have surged in popularity by offering people the ability to explore their family histories and health risks. Lately, many of these companies have begun expanding into the forensic genomics market to create DNA profiles for law enforcement, often without a solid cybersecurity strategy in place to protect the users' data.

On July 19, a major security breach prompted the owners of DNA analysis service GEDmatch to take the website offline. After a preliminary investigation, it was revealed that a treasure trove of DNA profiles had been made available for law enforcement searches (and by extension, all other users of the service).

The incident exposed no less than 1.3 million DNA records from its database. The company confirmed as much on its Facebook page, and described it as "a security breach orchestrated through a sophisticated attack on one of our servers via an existing user account."

GEDmatch allows users to upload their DNA profiles to help trace their ancestry tree. The breach was made possible by the fact that users can opt-in to have their data shared with law enforcement. This was supposed to be a privacy control, as the service was used in 2018 to find the identity of the infamous "Golden State Killer."

In a public statement, the company explained the breach merely resulted in user permissions being reset, with no actual user data being compromised or downloaded. However, DNA testing company MyHeritage reported on Tuesday that its user had been the targets of a phishing attack that may be connected to the GEDmatch incident.

The attackers created a fake website called myheritaqe.com (almost indistinguishable from myheritage.com) and used an email campaign to draw people to it and obtain their login details. After contacting several people who received the email, MyHeritage found that all of them were GEDmatch users whose email address and name had been compromised.

MyHeritage has recommended that users set up two-factor authentication and noted that attackers may soon target other genealogy services like 23andMe and Ancestry. In the meantime, GEDmatch's website is down until the company can "be absolutely sure that user data is protected against potential attacks. We are working with a cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures."

Verogen, the company that owns GEDmatch, says that only 280,000 users opted to share their data with law enforcement before the attack. During the breach on Sunday, everyone else was opted in without them even knowing, which could decrease overall trust in genealogy services.

Elizabeth Joh, who teaches law at the University of California, told TechCrunch "this isn’t simply GEDmatch’s problem: a privacy breach in a genetic genealogy database underscores the woefully inadequate regulatory safeguards for the most sensitive of information, in a novel arena for civil liberties."

While services like MyHeritage don't share your DNA profile with authorities, other companies are keen on selling it to agencies like the FBI. The problem is further accentuated by companies like FamilyTreeDNA, who practice an opt-out approach and see it as a way to prevent false convictions.

Permalink to story.

 
If someone illegally clones me, I honestly won't be upset.

Just so long as I'm entitled to part of his (my?) paycheck.

Cloning isn't strictly illegal in the US

https://en.wikipedia.org/wiki/Human_cloning

Not that you'd ever want to do it. You may be held responsible for crimes committed by your clone and it would not be fun coming home to your wife / girlfriend having relations with your copy. I'm pretty sure most people would hate having a copy of themselves around. After all that's 2 people jockeying for the exact same position.
 
Cloning isn't strictly illegal in the US

https://en.wikipedia.org/wiki/Human_cloning

Not that you'd ever want to do it. You may be held responsible for crimes committed by your clone and it would not be fun coming home to your wife / girlfriend having relations with your copy. I'm pretty sure most people would hate having a copy of themselves around. After all that's 2 people jockeying for the exact same position.


Yeah - I saw Judge Dredd.
 
Sorry, about as bad as sound tracks on tv shows. I gave up on baseball after the last of the many strikes in the 90's.
 
The major customer for this stolen information is most certainly medical insurance carriers. One of the best ways to stop it would be to enact a Federal Law that makes it a crime to have such information and a major crime for an insurance company to use that information in ANY form or any way.
 
Seems like a really weird thing for hackers to do. It sounds much more like the company made a mistake, then couldn't work out how to rectify it so ended up blaming it on hackers. Unless of course it was the police doing the hacking ...
 
Back