Online DNA matching service GEDmatch has suffered a data breach with some 1 million DNA records belonging to users being made available to law enforcement services.

The company, best known as providing DNA analysis that led to the arrested of the “Golden State Killer” in 2018, provides an online service to compare autosomal DNA data files from different companies.

That data can be used to trace family matches via DNA as well as to help law enforcement. The company, as of 2019, only shares DNA data with law enforcement where users have opted into allowing their DNA to be shared, but with this data breach, all DNA was shared.

Where the breach becomes especially interesting is that GEDmatch is blaming it on “a security breach orchestrated through a sophisticated attack on one of our servers via an existing user account.”

“As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours,” GEDmatch said in a post on Facebook Monday. “During this time, users who did not opt-in for law enforcement matching were available for law enforcement matching and, conversely, all law enforcement profiles were made visible to GEDmatch users.”

The company claims that no user data was downloaded or compromised, but that may not be entirely true. Buzzfeed News reported today that users of genealogy and DNA testing company MyHeritage Ltd. were targeted in a phishing attack Tuesday using targeted email addresses obtained in the attack on GEDmatch.

“This breach is particularly alarming due to the highly sensitive nature of the data users entrusted to the platform,” Mark Bagley, vice president of product at enterprise security firm AttackIQ Inc., told SiliconANGLE. “A person’s DNA profile is unique and unchangeable and customers’ data was shared without their consent. Additionally, the attack sheds light on how hackers have become more creative with their motives, targeting organizations not only for monetary gain but also for powerful information.”

But even more alarming, he added, is that GEDmatch was breached twice over the course of two days, revealing a major lapse in its cybersecurity strategy. “An active approach for quantifying the performance of defenses in the face of known adversary behavior is imperative,” he said. “This should include continuous testing of security environments to address defensive gaps before they can be exploited by an adversary.”

Detailing the risks of the breach, Anurag Kahol, chief technology officer at cloud access security broker Bitglass Inc. noted that the loss of DNA records and personally identifiable information could enable malicious actors to commit identity theft, insurance fraud and targeted spear-phishing campaigns.

“This information is extremely valuable and it is crucial that organizations have the proper controls for data security,” Kahol said. “Unfortunately, bad actors may have gained access to personal user data derived from GEDmatch’s database due to a misconfiguration in the database.”

Image: GEDMatch