GEDMATCH, the world’s largest open source DNA registry, appears to have suffered a major privacy breach over the weekend. While over one million kits are on the website, users must opt in to give law enforcement access to their kits. However, this function appears to have been breached, with users finding their kits automatically open to law enforcement without opting in.
The other corroborated but alarming claim is the multiple reports of false matches and spam emails which appear to not be real users. Users upload data in an excel format, so the actual quality of the matches is not guaranteed as users can edit the data to deviate from what their DNA would actually represent in the excel file. Theoretically this is far fetched, but it is something to consider when contacting strangers from an open source database.
— Graham Coop (@Graham_Coop) July 19, 2020
If this assertion is true, kits that should have been private for research were displayed publicly for police to use in court cases. This would be a big leak in terms of data governance. And with the site down, users cannot demand their data be private from police.
The exposure could impact you regardless of if you had your personal DNA test on the website. DNA is shared among extended family and relatives, so many of those potentially impacted may be completely unaware. GEDmatch originally was a project of John Olson and Curtis Rodgers, but the assets were sold in late 2019 to a forensic genomics firm called Verogen.
Sometimes this data can help catch criminals, but it can also expose marital infidelity or other genetically transmitted diseases. Either way, the extended downtime and possible data exposure are a big blow to the reputation of the website. The first notable incident with the Golden State Killer being caught via the website lead to a lot of uproar, and the site has lost some users from the incident. GEDmatch promised that informed consent would be given before users could give data to police, and this promise appears to have been broken over the weekend.
Edit: as of 2:10 P.M. it appears to be back with original privacy settings restored.
Edit: 3:30 P.M. and it is down again.
There has been no update regarding data privacy from VerogenBio.