DNA analysis service GEDmatch suffers breach exposing 1.3 million DNA profiles

Private DNA profiling companies like GEDmatch have surged in popularity by offering people the ability to explore their family histories and health risks. Lately, many of these companies have begun expanding into the forensic genomics market to create DNA profiles for law enforcement, often without a solid cybersecurity strategy in place to protect the users’ data.
On July 19, a major security breach prompted the owners of DNA analysis service GEDmatch to take the website offline. After a preliminary investigation, it was revealed that a treasure trove of DNA profiles had been made available for law enforcement searches (and by extension, all other users of the service).

The incident exposed no less than 1.3 million DNA records from its database. The company confirmed as much on its Facebook page, and described it as “a security breach orchestrated through a sophisticated attack on one of our servers via an existing user account.”

GEDmatch allows users to upload their DNA profiles to help trace their ancestry tree. The breach was made possible by the fact that users can opt-in to have their data shared with law enforcement. This was supposed to be a privacy control, as the service was used in 2018 to find the identity of the infamous “Golden State Killer.”

In a public statement, the company explained the breach merely resulted in user permissions being reset, with no actual user data being compromised or downloaded. However, DNA testing company MyHeritage reported on Tuesday that its user had been the targets of a phishing attack that may be connected to the GEDmatch incident.

The attackers created a fake website called myheritaqe.com (almost indistinguishable from myheritage.com) and used an email campaign to draw people to it and obtain their login details. After contacting several people who received the email, MyHeritage found that all of them were GEDmatch users whose email address and name had been compromised.

MyHeritage has recommended that users set up two-factor authentication and noted that attackers may soon target other genealogy services like 23andMe and Ancestry. In the meantime, GEDmatch’s website is down until the company can “be absolutely sure that user data is protected against potential attacks. We are working with a cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures.”

Verogen, the company that owns GEDmatch, says that only 280,000 users opted to share their data with law enforcement before the attack. During the breach on Sunday, everyone else was opted in without them even knowing, which could decrease overall trust in genealogy services.

Elizabeth Joh, who teaches law at the University of California, told TechCrunch “this isn’t simply GEDmatch’s problem: a privacy breach in a genetic genealogy database underscores the woefully inadequate regulatory safeguards for the most sensitive of information, in a novel arena for civil liberties.”

While services like MyHeritage don’t share your DNA profile with authorities, other companies are keen on selling it to agencies like the FBI. The problem is further accentuated by companies like FamilyTreeDNA, who practice an opt-out approach and see it as a way to prevent false convictions.