Data Breach Update: Commercial DNA Site Hacked Making User Profiles Visible to Law Enforcement
DNA analysis and profiling companies are popular with users seeking to learn about their ethnic and cultural background as well as genetic predispositions to deceases and disorders. They also hold DNA information valuable to law enforcement. The most notorious case solved by matching DNA found at the crime scene to profiles in the commercial DNA databases was that of James DeAngelo, known as the Golden State Killer, who recently pleaded guilty to multiple murders and other crimes.
According to the reports, GEDmatch, a site geared towards finding genetically related individuals, was subject to two security breaches on July 19 and 20, 2020. GEDmatch allows its users to opt-in for their DNA to be included in police searches. As a result of the hacks, those settings were changed without the users’ permission and their DNA profiles were temporarily visible to law enforcement. At this time, it is unclear whether any unmasked profiles were actually searched by law enforcement.
According to the site’s owner, the unmasking of the profiles was “orchestrated through a sophisticated attack on one of [the company’s] servers via an existing user account.” Following the attack on GEDmatch, an Israeli-based genealogy website MyHeritage, was subjected to a phishing attack on July 21, apparently targeting email addresses obtained in the attack on GEDmatch.
The U.S. privacy laws offer some protection to consumers with respect to their genetic information. For example, the federal Genetic Information Nondiscrimination Act of 2008 protects Americans from discrimination based on their genetic information in both health insurance and employment. In addition, the California Consumer Privacy Act includes DNA information within the scope of “personal information” subject to its provisions.
Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653