A security breach opened up access to a genealogy site’s DNA profiles

Info could've been accessed by anyone, including law enforcement.


Over the weekend, a security breach changed the permission settings on millions of profiles in GEDmatch, a DNA database used by genealogists. For three hours, DNA profiles were visible to all members, including law enforcement agencies, which sometimes use the site to find partial matches to crime scene DNA.

Usually, GEDmatch users can select whether or not they want to share their DNA profile with police. When the attack reset users’ permissions, their data was temporarily visible to law enforcement. It’s unclear if any police searched the database during that time.

According to Verogen, the company that recently purchased GEDmatch, no user data was downloaded or compromised. But two days later, the genealogy website MyHeritage alerted users to a phishing scheme that targeted people who used both MyHeritage and GEDmatch. In a statement posted online, the company said it suspects the attackers may have gleaned the email addresses from GEDmatch.

Verogen has taken GEDmatch down. The company says it is working with a cybersecurity firm to conduct a forensic review and safeguard the site. That may not be enough to recover users’ trust.

Some already see giving law enforcement access to DNA profiles as controversial. As BuzzFeed News reports, this incident could limit those on both sides of the debate. If GEDmatch can’t keep data safe, users may be less likely to create DNA profiles, which could make it harder for police to use the site to solve cold cases. On the other hand, if GEDmatch can’t limit police access, users who may have made a profile on the condition it wouldn’t be used by law enforcement may not create a profile at all. That means less data for genealogists to work with.