Sometime on the morning of Sunday, 19 July 2020, the GEDmatch site was either hacked or experienced a severe programming failure. DNA kit privacy has been breached? Kits that were marked “private” or “research”, meaning they should not show in the match lists of anyone else, because visible, and kits that had opted out of law enforcement matching were opted in.
This is a breaking story. I will update as more information becomes available. If you have screen shots you’re willing to share, please let me know.
Update 9:00 AM Pacific Time, 19 July (Sunday)
I was briefly able to get into GEDmatch. My one remaining kit is a post-mortem DNA analysis with low data quality. It should neither be part of the main matching pool nor opted in to law enforcement matching. At last check, it was both.
The site went down again before I was able to change the kit settings.
On social media, people are reporting seeing kits with Parabon email addresses. This, it appears that even the law enforcement kits were exposed to public matching. I wonder how many there are.
Update 9:40 AM Pacific Time, 19 July (Sunday)
A reader, who wishes to remain anonymous, sent this screenshot. It includes a Doe kit (unidentified deceased person) as well as what are likely experimental kits (“randompartial”) not meant for general matching.
Update 10:00 AM Pacific Time, 19 July (Sunday)
I was able to log in. The settings on my kit have been reset to their original state, and I was not able to find any law enforcement or Doe kits in the match lists of five randomly selected kits. The problem appears to be fixed for now.
Update 11 AM Pacific Time, 19 July (Sunday)
I’ve learned that kits from the European Union that are protected by GDPR privacy laws were also affected. I’m no expert on GDPR, but as I understand it, GEDmatch will have to report the breach to authorities within 72 hours and may be subject to fines.
I’m also hearing reports that some people have lost kits from their accounts.
Now is a good time to remind readers that GEDmatch does not and has never gotten fully informed consent for law enforcement matching. More information is here.
Update 3:30 PM Pacific Time, 19 July (Sunday)
TechCrunch reports that Brett Williams, the CEO of GEDmatch’s parent company “would not say, when asked, if Verogen or Gedmatch have received any law enforcement requests for user data in the past day, or if either company has responded.”
Update 5 PM Pacific Time, 20 July (Monday)
Although GEDmatch posted a statement yesterday evening on their Facebook page saying the problems were fixed, they weren’t.
Today, around 4:30 PM PDT, research kits (which should not be visible in general searches) were once again added to the public matching database. The site was taken down again about 15 minutes later.
GEDmatch has still explained what went wrong, nor have they apologized to their users for the privacy breaches.
Update 5:45 PM Pacific Time, 20 July (Monday)
GEDmatch issued a second statement acknowledging that they were hacked by one of their users. It’s unclear whether today’s problems were a second hack.
Update 9:15 AM Pacific Time, 21 July (Tuesday)
GEDmatch announced on their Facebook page that they would be offline for up to 3 days. I have not yet received an email notification from them, so they appear to have not notified their users directly.
Update ≈3 PM Pacific Time, 21 July (Tuesday)
MyHeritage alerted its customers that they were the target of a phishing attack that they believe was tied to the GEDmatch hack. Read more here.
Update 3:30 PM Pacific Time, 21 July (Tuesday)
In two separate statements on their official Facebook page, GEDmatch states that they encrypt the DNA data.
However, their Site Policy (archived 27 May 2020) explicitly says that the data is not encrypted.
Update 7:30 AM Pacific Time, 22 July (Wednesday)
GEDmatch emailed their users to alert them to the security breach. The email in full read:
Dear GEDmatch member,
On the morning of July 19, GEDmatch experienced a security breach orchestrated through a sophisticated attack on one of our servers via an existing user account. We became aware of the situation a short time later and immediately took the site down. As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt-in for law enforcement matching were available for law enforcement matching, and, conversely, all law enforcement profiles were made visible to GEDmatch users.
On Monday, July 20, as we continued to investigate the incident and work on a permanent solution to safeguard against threats of this nature, we discovered that the site was still vulnerable and made the decision to take the site down until such time that we can be absolutely sure that user data is protected against potential attacks. It was later confirmed that GEDmatch was the target of a second breach in which all user permissions were set to opt-out of law enforcement matching.
We can assure you that your DNA information was not compromised, as GEDmatch does not store raw DNA files on the site. When you upload your data, the information is encoded, and the raw file deleted. This is one of the ways we protect our users’ most sensitive information.
Further, we are working with a leading cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures. We expect the site will be up within the next day or two.
We have reported the unauthorized access to the appropriate authorities and continue to work toward identifying the individuals responsible for this criminal act.
Today, we were informed that MyHeritage customers who are also GEDmatch users were the target of a phishing scam. Please remember to exercise caution when opening emails and clicking links. Never provide sensitive information via email. If an email seems suspicious, contact the company in question directly through the phone number or email address listed on their website, not via a reply to the suspicious email. You can reach GEDmatch at gedmatch@verogen.com or (858) 285-4101. At this time, we have no evidence to suggest the phishing scam is a result of the GEDmatch security breach this week. We are continuing to investigate the incident.
Please be assured that we take these matters very seriously. Our Number 1 responsibility is to protect the data of our users. We know we have not lived up to this responsibility this week, and we are working hard to regain your trust. We apologize for the concern and frustration this situation has caused.
Sincerely,
Brett Williams
CEO, Verogen Inc.
Additional Reading
Peter Aldhous, A Security Breach Exposed More Than One Million DNA Profiles On A Major Genealogy Database, BuzzFeed News, 22 July 2020.
Debbie Cruwys Kennett, Major privacy breach at GEDmatch, Cruwys News Blog, 19 July 2020.
Zach Whittaker, Gedmatch investigating after user DNA data made available to police, TechCrunch, 19 July 2020.