GEDmatch webservers suffered two data breach attacks that exposed 1.2 million United States citizens DNA profiles
A DNA profiling service called GEDmatch suffered two hacking and data breach attacks in two days. On Sunday, the genealogy website suffered a security breach that exposed the DNA profiles of more than a million people to law enforcement agencies. The website, GEDmatch told its members about the data breach in a message emailed and posted on Facebook. The message said that GEDmatch has suffered a data breach on Sunday due to a “sophisticated attack” on its servers through an existing user account. The data breach exposed DNA profiles of 1.2 million American citizens to the police for three hours.
“We became aware of the situation a short time later and immediately took the site down,” GEDmatch said.
When GEDmatch patched the data breach and resumed the website on Monday, it was again subjected to a massive hack attack, The hackers this time reset all user permissions to allow complete access to the police, the company said.
“We can assure you that your DNA information was not compromised, as GEDmatch does not store raw DNA files on the site,” the company said. “When you upload your data, the information is encoded and the raw file deleted. This is one of the ways we protect our users’ most sensitive information.”
“We discovered that the site was still vulnerable and made the decision to take the site down until such time that we can be absolutely sure that user data is protected against potential attacks,” said Brett Williams, CEO of GEDmatch’s parent company Verogen Inc. in a letter. “It was later confirmed that GEDmatch was the target of a second breach in which all user permissions were set to opt-out of law enforcement matching.”
Forensic genomics company Verogen Inc., based in California, acquired GEDmatch in December 2019. Members were advised of the partnership and given a chance to opt-out of sharing their DNA profiles with police and other law enforcement agencies.
As of 2019, more than 1.2 million people have used the free service to upload data profiles from different DNA testing companies such as Ancestry and 23andme, and compare their autosomal DNA data files with others. The service has become a huge help for genealogists and people seeking to build their family trees by allowing one-to-one, one-to-many X-DNA comparisons, and other useful matrices.
At the time of writing this article, the GEDmatch website is still down with a maintenance message reading “The gedmatch site is down for maintenance. Currently no ETA for availability.”
Williams apologized for the breach and said the site will be up in a matter of days. Meanwhile, GEDmatch users can report any suspicious emails to [email protected] or (858) 285-4101.
GEDmatch made headlines in 2018 when it helped the California Police Department identify Joseph James DeAngelo through DNA profiling. DeAngelo was alleged to be the infamous Golden State Killer, the sadistic attacker who killed 13 people and raped nearly 50 women in California during the ’70s and ’80s.
DeAngelo last month pled guilty to dozens of crimes in return for being spared the death penalty.