GEDmatch is the DNA analysis site that had been recently used by the Portland police to catch a serial killer. The case was on the Golden State Killer. It was pulled offline in the last few days as the parent company got to focus on the leakage of users’ DNA data and was readily available to law enforcement searches.
It was later confirmed that the same happened due to a breach in the system. The breach happened to cause permission changes.
This site, GEDmatch allows users to trace or track their family tree and ancestors just by uploading their DNA profile. In 2018, it gained overnight fame as the law enforcement took to the site to match the DNA from a serial murder suspect with the million-plus DNA profiles in the site’s database without the knowledge of the company itself.
Earlier, GEDmatch issued a privacy warning to its existing users. Then it allowed new controls so that users could choose to opt in to be investigated by police if required. That means, their DNA profile could be accessed only with their permission. However, in the past week, it came to notice that there had been permission changes and the entire data was visible to the law and enforcement. The branch could access anyone’s DNA data they wanted to.
With the further investigation by the company, they recorded that there had been intrusions in the past days. Two security breaches had occurred in the month of July on July 19 and July 20 respectively.
The company claims to have taken down the site as soon as they got aware of the situation. Due to the breach, all permissions were reset and every individuals’ data had become vulnerable. They also mentioned that the second breach was responsible for resetting the user’s permission making all the data available on the law and enforcement for investigations.
DNA profiling and analysis companies are gaining their popularity due to the users’ interest in their DNA data. Users trying to understand their backgrounds and ancestral family members is the main reason that drives these companies. However, the law and enforcement are in the interest of the access to genetic databases so that solving crimes from DNA left at crime scenes becomes easy.
While we are discussing the breach, it was also reported that the company never received any notification from the law enforcement requests during the two-day incident. GEDmatch does not always bring it to the public about the requests from the law and enforcement, yet other competitive companies have frequently been doing that.
The issue with this breach in the company is that even though the issue was fixed, there are still a lot of questions. GEDmatch’s data being accessed in this breach is highly questionable as the law and enforcement have not put forward the details involved in the breach done during the investigation. This is not only about the company, but more about users involved with their highly sensitive information flying everywhere.