Two Security Breaches at GEDmatch Open All Users’ Profiles to Law Enforcement

  • <<
  • >>

566543.jpg

 

A month before Verogen officially acquired GEDmatch, a team of genetic security researchers revealed a flaw in GEDmatch’s relative-matching algorithm that would allow a hacker to scrape more than 90 percent of users’ DNA data. Almost as soon as the acquisition went through in December 2019, Verogen CEO Brett Williams told Forensic the company has already addressed GEDmatch’s previous security issues, and was committed to monitoring/correcting any other security flaws.

All has been well since then, until the morning of July 19 when GEDmatch experienced a security breach on one of the servers through an existing user account. The breach reset all user permissions, making all profiles visible to others for approximately 3 hours. Verogen confirmed in a statement that, during this time, users who did not opt-in for law enforcement matching were available for law enforcement matching, and, conversely, all law enforcement profiles were visible to GEDmatch users.

While no user data was downloaded or compromised during Sunday’s breach, Verogen said in a statement on Monday that the site was still vulnerable, so the forensic company took it offline until “such time that we can be absolutely sure that user data is protected against potential attacks.” Later on Monday, Verogen confirmed GEDmatch was the target of a second breach in which all user permissions were set to opt-out of law enforcement matching.

Verogen sent an email to GEDmatch users on Wednesday explaining the events of the previous three days.

“We can assure you that your DNA information was not compromised, as GEDmatch does not store raw DNA files on the site. When you upload your data, the information is encoded, and the raw file deleted. This is one of the ways we protect our users’ most sensitive information,” reads the email. “Please be assured that we take these matters very seriously. Our Number 1 responsibility is to protect the data of our users. We know we have not lived up to this responsibility this week, and we are working hard to regain your trust. We apologize for the concern and frustration this situation has caused.”

On Thursday morning, Williams told Forensic, “we increased security protocols to eliminate the possibility of attacks based on known vulnerabilities,” in the months since Verogen acquired GEDmatch.

He also said the sequencing company has contracted with a “highly respected cybersecurity firm that will provide a detailed forensic analysis and recommend and implement the highest security protocols. The firm will perform ongoing analysis and monitoring in order to alert us to any future threats.”

On Friday, July 24 at 11:00 am EDT the GEDmatch site was still offline with no ETA available.

Related Categories