This site published an article early this year warning consumers against loading their DNA and family information on genealogy websites. This warning has now come true, with the hack not only affecting the original website but also a second website.
Consumers Warned about DNA Testing
An article was published on this site earlier in the year called Online DNA Test Data Vulnerable to Genetic Hacking. The article warned consumers that DNA data and information they uploaded to genealogy websites about their family was vulnerable to hacking.
The article also referred to a paper, which states that the vulnerabilities of public genealogy databases are numerous and pose a serious threat to consumer privacy. Not only is the privacy of the individual uploading the data in jeopardy. It also affects the privacy of everybody related to that individual. Furthermore, it is not only about how DNA data and other genealogical information is used now. It is also about how this data will be used, and in whose hands it will fall into, in the future.
All the warnings have now come true. However, the paper had stated the problem did not apply to commercial DNA sequencing companies, only to public databases. But the database found wanting was not a public database. The database that was hacked belonged to a supposedly “safe” commercial DNA sequencing company called GEDmatch.
GEDmatch is a genealogy website founded and previously run by two amateur genealogy enthusiasts, Curtis Rogers and John Olson. GEDmatch was then purchased last December by Verogen, a forensic genetics company. With the purchase of GEDmatch by Verogen, it was hoped that individuals’ genetic privacy would be more secure.
However, since the purchase, Verogen has been trying to alleviate consumer concerns surrounding their genetic privacy. Consumers have been concerned because GEDmatch profile data has already been used by police in the past. Furthermore, Verogen’s business model is based on using genetic genealogy to help solve violent crimes.
GEDmatch was first used by police back in 2018 to help arrest the so-called Golden State Killer, Joseph DeAngelo. Investigators managed to match DNA found at the scene back in 1980 to profiles on GEDmatch. These profiles belonged to DeAngelo’s distant relatives, which were used to build a family tree that eventually led to killer.
To help alleviate consumer concerns, Verogen improved its security. Users are now required to explicitly “opt-in” to allowing law enforcement agencies to access their data. According to Verogen, some 280,000 users had opted in out of 1.45 million users.
However, the breach of the GEDmatch website exposed all 1.45 million profiles to law enforcement agencies. Verogen explained in a statement posted on Facebook that the breach had been “orchestrated through a sophisticated attack on one of our servers via an existing user account.” The statement went on to say: “As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt in for law enforcement matching were available for law enforcement matching and, conversely, all law enforcement profiles were made visible to GEDmatch users.”
The GEDmatch permissions were soon reset to normal and the services came back online briefly. However, Verogen took the site down again a couple of days later after it faced a second breach. The site remained offline for several days after the second breach with a message reading: “The GEDmatch site is down for maintenance. Currently no ETA for availability.” The website is now back online.
Breach Affects Other Genealogy Website
Although Verogen reassured its users that “No user data was downloaded or compromised”, this claim quickly came into question. A couple of days later, MyHeritage website users came under a phishing attack. Users were sent phishing emails containing a link that redirected them to a fake MyHeritage login page. The fake login page was used by the attackers to harvest MyHeritage users’ usernames and passwords.
MyHeritage stated in a blog post “Because GEDmatch suffered a data breach two days ago, we suspect that this is how the perpetrators got their email addresses and names for this abuse”. The post also said that at least 16 users had fallen victim to the phishing emails before MyHeritage became aware of the attack. MyHeritage have since warned all their users who also have profiles on GEDmatch to change their passwords to the MyHeritage website and to activate two-factor authentication. MyHeritage does not allow their database to be used by police.