Image: Justin Sullivan (Getty Images)
Mailing your spit to an ancestry site and uploading it to a DNA matching database has seemed like a pretty bad idea since 2018 when federal law enforcement officials tracked down the Golden State killer through a discarded tissue and his relatives’ online genetic profiles on GEDMatch. Since that episode generated a widely-publicized alarm, GEDMatch, which is owned by the forensic science company Verogen, changed its policy so that users could opt-in to make their information available to law enforcement. But security breaches happen, and earlier this week, GEDMatch announced that, on July 19th, hackers had performed a “sophisticated attack” on one of their servers “using an existing user account.” For three hours, law enforcement officials were able to gain access to 1.2 million profiles that hadn’t opted-in to law enforcement access, and users were able to see law enforcement accounts.
GEDMatch announced the first breach on Facebook and then confirmed, in a statement shared with Gizmodo, that someone launched a second, similar attack on July 20th. The site is currently down, and GEDMatch has said that it’s working on shoring up for other potential vulnerabilities.
“We can assure you that your DNA information was not compromised, as GEDmatch does not store raw DNA files on the site,” the statement reads. “When you upload your data, the information is encoded, and the raw file deleted. This is one of the ways we protect our users’ most sensitive information.”
But it’s confusing why that matters—couldn’t law enforcement officers still have used a search to generate a lead, even without the raw DNA file?
Yes, GEDMatch told Gizmodo. They said that law enforcement “never receives raw
In other words, yes, 1.2 million non-consenting users could have been implicated in a criminal investigation during that three-hour window. It doesn’t matter whether no one was identified, or whether the window was one minute; the company made the impossible promise that it would shield over a million users from investigators, and it failed, because everything breaks.
While GEDMatch claims that no user data was compromised or downloaded, there’s evidence to the contrary; a similar Israeli site MyHeritage reported two days later that its users had been targeted in a phishing attack on emails that were “apparently compromised from GEDmatch.” Users were led to a spoof website “myheritage.com” and prompted to log in. MyHeritage claims that all of the victims it spoke to had GEDMatch profiles and reasonably guessed that the emails came from the GEDMatch breach; one was reached via an email address they’d only used for GEDMatch but not MyHeritage. GEDMatch told Gizmodo that they “have no evidence” that the MyHeritage attack was linked to the breach.
Even so, the breach looks bad, after GEDMatch and other sites have made a concerted effort to reassure customers that their genetic information was safe. In the two intervening years since the Golden State killer case, we’ve been beaten over the head with almost weekly news of the mass biometric data harvesting.
When Verogen purchased GEDMatch in 2019, Verogen CEO Brett Williams promised that they would fight warrants for information of users who hadn’t opted to make their data available to law enforcement. GEDMatch doesn’t say the extent to which it allows law enforcement to access its database, but it apologized in its Facebook statement to its “law enforcement customers.”
Even if you haven’t submitted your genetic data to any site, you should still think twice about leaving your DNA at a crime scene. In 2018, Science Magazine reported that 60% of white Americans could be identified by genetic information on ancestry databases. While the Justice Department set rules last year for using genetic information in investigations, a subsequent Los Angeles Times investigation found that, nationally, “There is no uniform approach for when detectives turn to genealogical databases to solve cases.”