GEDmatch confirms data breach after users’ DNA profile data made available to police

GEDmatch, the DNA analysis site that police used to catch the so-called Golden State Killer, was pulled briefly offline on Sunday while its parent company investigated how its users’ DNA profile data apparently became available to law enforcement searches.

The company confirmed Wednesday that the permissions change was caused by a breach.

The site, which lets users upload their DNA profile data to trace their family tree and ancestors, rose to overnight fame in 2018 after law enforcement used the site to match the DNA from a serial murder suspect against the site’s million-plus DNA profiles in the site’s database without first telling the company.

GEDmatch issued a privacy warning to its users and put in new controls to allow users to opt-in for their DNA to be included in police searches.

But users reported Sunday that those settings had changed without their permission, and that their DNA profiles were made available to law enforcement searches.

In a statement on Wednesday, the company told users by email that it was hit by two security breaches on July 19 and July 20.

“We became aware of the situation a short time later and immediately took the site down. As a result of the breach, all user permissions were reset, making all profiles visible to all users,” the email read. “This was the case for approximately 3 hours. During this time, users who did not opt-in for law enforcement matching were also available for law enforcement matching, and conversely, all law enforcement profiles were made visible to Gedmatch users.”

The statement said that the second breach caused user’s settings to reset, allowing law enforcement to search profile data for users who had previously opted out.

At the time of writing, GEDmatch’s website was offline.

DNA profiling and analysis companies are increasingly popular with users trying to understand their cultural and ethnic backgrounds by discovering new and ancestral family members. But law enforcement are increasingly pushing for access to genetic databases to try to solve crimes from DNA left at crime scenes.

A spokesperson for the company on Wednesday said the company had reported the incident to the authorities. The company told TechCrunch that it had not received or responded to any law enforcement requests during the two-day incident.

GEDmatch does not publish how frequently law enforcement seeks access to the company’s data. Its rivals, like 23andMe and Ancestry .com, have already published these so-called transparency reports. Earlier this year Ancestry.com revealed that it rejected an out-of-state police warrant, indicating that police are still using DNA profiling and analysis sites for information.

“The acknowledgement of an issue is a start, but if a ‘resolution’ means simply correcting the error, there are many questions that remain,” Elizabeth Joh, a professor of law at University of California, Davis School of Law, told TechCrunch.

“For instance, does GEDmatch know whether any law enforcement agencies accessed these improperly tagged users? Will they disclose any further details of the breach? And of course, this isn’t simply GEDmatch’s problem: a privacy breach in a genetic genealogy database underscores the woefully inadequate regulatory safeguards for the most sensitive of information, in a novel arena for civil liberties,” she said. “It’s a mess.”

Updated on July 22 with confirmation of the security breach. First published on July 19 at 5:38 p.m. ET.