GEDMATCH, the world’s largest open source DNA registry, appears to have suffered a major privacy breach over the weekend. While over one million kits are on the website, users must opt in to give law enforcement access to their kits. However, this function appears to have been breached, with users finding their kits automatically open to law enforcement without opting in.

 

The other corroborated but alarming claim is the multiple reports of false matches and spam emails which appear to not be real users. Users upload data in an excel format, so the actual quality of the matches is not guaranteed as users can edit the data to deviate from what their DNA would actually represent in the excel file. Theoretically this is far fetched, but it is something to consider when contacting strangers from an open source database.

 

Users are currently experiencing spam solicitations-possibly from the security incident

 

 

If this assertion is true, kits that should have been private for research were displayed publicly for police to use in court cases. This would be a big leak in terms of data governance. And with the site down, users cannot demand their data be private from police.

The exposure could impact you regardless of if you had your personal DNA test on the website. DNA is shared among extended family and relatives, so many of those potentially impacted may be completely unaware. GEDmatch originally was a project of John Olson and Curtis Rodgers, but the assets were sold in late 2019 to a forensic genomics firm called Verogen.

Sometimes this data can help catch criminals, but it can also expose marital infidelity or other genetically transmitted diseases. Either way, the extended downtime and possible data exposure are a big blow to the reputation of the website. The first notable incident with the Golden State Killer being caught via the website lead to a lot of uproar, and the site has lost some users from the incident. GEDmatch promised that informed consent would be given before users could give data to police, and this promise appears to have been broken over the weekend.

Edit: as of 2:10 P.M. it appears to be back with original privacy settings restored.

Edit: 3:30 P.M. and it is down again.

There has been no update regarding data privacy from VerogenBio.

2 thoughts on “World’s largest open source DNA registry suffers outage and possible data exposure”
  1. GEDmatch has NEVER promised informed consent. The default condition for new uploads is to be opted into law enforcement matching, and the accompanying text doesn’t explain what that entails nor list any of the pros and cons (required for consent to be informed). What’s more, informed consent can only be given in the absence of undue pressure, and GEDmatch actively encourages people to opt in. Here’s the the text beside the default selection, verbatim: “This kit will be shown in match results for all other kits in the database. The operators of GEDmatch encourage everybody to select this option unless they have specific reasons not to.”

Leave a Reply

Your email address will not be published. Required fields are marked *