GEDmatch, the genealogy and DNA-analysis service that gained popularity thanks to its role in identifying the Golden State Killer, experienced a massive security breach on July 19, the company said in a Facebook post this week. Exposed email addresses were then used on another genealogy website, MyHeritage, for a phishing campaign.
The breach exposed more than one million DNA accounts to law enforcement agencies without their explicit permission. The company insists that "no user data was downloaded or compromised" but the entire fiasco is a good reminder that genetic privacy is still woefully vulnerable to hacking and manipulation and that you're better off knowing about your family tree through folklore from your elders. There's also no telling how this data could be used down the line.
What GEDmatch says — On July 20, the website announced on Facebook:
Today, as we continued to investigate the incident and work on a permanent solution to safeguard against threats of this nature, we discovered that the site was still vulnerable and made the decision to take the site down until such time that we can be absolutely sure that user data is protected against potential attacks. We are working with a cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures.
The company called the security breach a "disappointing" incident for user privacy and data security. Which is, arguably, precisely the sort of euphemistic understatement we should expect from a company that takes to Facebook to announce something like this.
The risks of genetic-testing — The GEDmatch incident should remind us all that online genetic-testing firms are already ripe for exploitation. There are several reasons why it's prudent to avoid giving your highly personal data to these companies. For one, just like any other online service, these firms have digital archives that can and do get hacked.
Customer data — your DNA in this case — is particularly delicate and unique. And despite claiming that security measures are being strengthened at all times, these breaches are pretty much inevitable. If DNA comes to play a more prevalent role in proving identity in years to come, these sorts of breaches could also lead to identity fraud, discrimination, false imprisonment, or a host of other, unintended, and currently unforeseeable consequences.
Opt-out may not apply — There's also no knowing who exactly benefits from accessing your DNA. Although users are given the option to opt out of industrial, academic, and pharmaceutical research, the likelihood of your personal data falling into third-party companies' hands remains particularly if the company you gave it to fails to secure it properly, or less maliciously, is acquired and its buyers are less enthusiastic about users' privacy.
Further, as it stands the legislation surrounding the use of such data isn't especially robust. Perhaps most importantly, though, law enforcement agencies are extremely interested in private genetic information. Considering what's going on in the United States generally — and in Portland, Oregon, specifically — that interest is alarming.
The potential repercussions of having access to such data are far-reaching. When you provide your genetic information to a testing company, you are also — whether you intend to or not — providing an intimate glimpse into your close and extended family. Researchers often insist that the data is anonymized to protect user privacy, but that's not always the case should subpoenas, warrants, or similar orders demand to know who a particular DNA dataset pertains to.