On the morning of July 19, hackers accessed the online DNA database GEDmatch and temporarily allowed police to search the profiles of more than 1 million users that were previously not accessible to law enforcement. GEDmatch is a genealogy tool that allows users to upload their DNA profiles generated from genetic testing services like 23andMe, Ancestry, and MyHeritage and search for relatives.

It took three hours until GEDmatch became aware of the breach and pulled the site offline completely. Users have to give permission for their profiles to be included in police searches, but the breach overrode privacy settings and made user profiles on the site visible to all other users, including law enforcement officials who use the site.

“Our banks are always being probed, our DNA will probably be probed, too.”

The breach is likely to erode users’ trust in the database, which has become a valuable law enforcement tool for solving cold cases, like the high-profile Golden State Killer case. It may also be a sign of what’s to come: more attempted hackings of DNA databases, which contain a wealth of extremely personal information, like family relationships, ancestry, and potential health risks.

“Our banks are always being probed, our DNA will probably be probed, too,” says Leah Larkin, PhD, a genealogist and genetic privacy advocate who runs The DNA Geek, a company that helps people locate relatives.

In a July 20 statement on its website, Verogen, the San Diego forensic genetics firm that acquired GEDmatch in December, said there is no evidence that any user data was compromised or downloaded during the breach. But on July 21, genetic testing company MyHeritage reported in a blog post that the hackers appeared to have retrieved user emails from GEDmatch to orchestrate another attack. MyHeritage said perpetrators set up a fake MyHeritage website and sent a phishing email to users to log in to the website, ostensibly so the hackers could steal passwords.

At least 16 people fell victim to the fake website. MyHeritage says it has attempted to contact the more than 100 users who received the phishing email. It’s not known whether the hackers used those passwords to access users’ MyHeritage accounts.

The motivation for the attacks is unclear. The hackers could have been after passwords, emails, or credit card information, or they could have wanted access to genealogical data or genetic information.

“Any kind of consumer profile with a company could certainly be rich with personal information,” says Rachele Hendricks-Sturrup, health policy counsel at the Washington, D.C.-based Future of Privacy Forum. One reason hackers might target genetic data is to make fake patient profiles and file fraudulent insurance claims, she says.

Sensitive information gleaned from genetic data could also be used for blackmail or corporate espionage if it gets into the wrong hands. A criminal enterprise might want access to find out if they have relatives in the database. Even having a second or third cousin in the database makes it possible for cops to link offenders to crimes.

A Verogen spokesperson told OneZero that GEDmatch encodes DNA data uploaded by users, then deletes the raw DNA files. But there’s still plenty of information on GEDmatch that could be of interest to hackers. For instance, you could see people’s family trees and the amount of DNA that users share.

#data-breach #dna #genetics #data #privacy #data analysisa