On July 19, a major security breach prompted the owners of DNA analysis service GEDmatch to take the website offline. After a preliminary investigation, it was revealed that a treasure trove of DNA profiles had been made available for law enforcement searches.
The incident exposed no less than 1.3 million DNA records from its database. The company confirmed as much on its Facebook page, and described it as “a security breach orchestrated through a sophisticated attack on one of our servers via an existing user account.”
Usually, GEDmatch users can select whether or not they want to share their DNA profile with police. When the attack reset users’ permissions, their data was temporarily visible to law enforcement. It’s unclear if any police searched the database during that time.
According to Verogen, the company that recently purchased GEDmatch, no user data was downloaded or compromised. But two days later, the genealogy website MyHeritage alerted users to a phishing scheme that targeted people who used both MyHeritage and GEDmatch. In a statement posted online, the company said it suspects the attackers may have gleaned the email addresses from GEDmatch.
In a public statement, the company explained the breach merely resulted in user permissions being reset, with no actual user data being compromised or downloaded. However, DNA testing company MyHeritage reported on Tuesday that its user had been the targets of a phishing attack that may be connected to the GEDmatch incident.
The attackers created a fake website called myheritaqe.com (almost indistinguishable from myheritage.com) and used an email campaign to draw people to it and obtain their login details. After contacting several people who received the email, MyHeritage found that all of them were GEDmatch users whose email address and name had been compromised.
MyHeritage has recommended that users set up two-factor authentication and noted that attackers may soon target other genealogy services like 23andMe and Ancestry. In the meantime, GEDmatch’s website is down until the company can “be absolutely sure that user data is protected against potential attacks. We are working with a cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures.”
Verogen has taken GEDmatch down. The company says it is working with a cybersecurity firm to conduct a forensic review and safeguard the site. That may not be enough to recover users’ trust.
Some already see giving law enforcement access to DNA profiles as controversial. As BuzzFeed News reports, this incident could limit those on both sides of the debate. If GEDmatch can’t keep data safe, users may be less likely to create DNA profiles, which could make it harder for police to use the site to solve cold cases. On the other hand, if GEDmatch can’t limit police access, users who may have made a profile on the condition it wouldn’t be used by law enforcement may not create a profile at all. That means less data for genealogists to work with.