AMU Cyber & AI Cybercrime Editor's Pick Law Enforcement Original Public Safety

What’s the Fallout from the GEDMatch Genealogy Database Breach? 

By Jennifer Bucholtz, Faculty Member, Criminal Justice and Forensic Science at American Military University

In July, GEDMatch, an ancestry genealogy site, suffered two breaches to its website by hackers. Subsequently, the website was shut down on both occasions to troubleshoot the breach and ensure the privacy of users’ data.

GEDMatch provides free, open-source access to anyone seeking to find ancestors and family members by uploading their DNA profile data.

So far, approximately 1.45 million people have enrolled. A computer algorithm analyzes each profile and provides the users with information on matches to potential relatives.

A “match” is not as simple as it sounds, however. The user receives a list of other registrants who have a portion of their DNA profile in common with the user. The list is displayed in a unit of measurement known as centimorgans. The higher the centimorgan number, the more closely related a user is to the match. For example, centimorgan matches in the 3,400 range indicate a parent and child. A match with only 1700 centimorgans may be an aunt or uncle to the user.

In order to upload data to GEDMatch, users must first have their DNA analyzed by a third-party vendor, such as 23andMe or Ancestry. Users can order a kit from either company, deposit their saliva in a tube, and mail the kit back for analysis. The end result provides insight into a person’s ancestry — what countries the family tree has had ties to — and, if requested, health predisposition reports. The latter can provide information about genetic markers that may cause a person to be more vulnerable to certain diseases, such as breast cancer or Alzheimer’s.

The analysis can also identify whether a person is a carrier for particular diseases, including cystic fibrosis and sickle cell anemia. Once a user has received the DNA results, that person can then upload those results to GEDMatch for further ancestry analysis.

GEDMatch in Law Enforcement

In 2018, law enforcement officials began using the GEDMatch website to link unknown DNA samples found at crime scenes to suspects. The first and most well-known case in which forensic genetic genealogy was used identified the rapist/murderer in a decades old cold case known as the Golden State Killer.

Joseph D’Angelo left his DNA at many of his rape and murder scenes throughout his years-long series of crimes. However, officials were never able to identify it as his DNA because the CODIS database never returned a match. D’Angelo’s DNA profile had never been entered into CODIS because he had never served in the military or been arrested or convicted of a crime.

After uploading the unknown DNA to GEDMatch, retrieving the centimorgan matches, and working with a genetic genealogist who specializes in building family trees, authorities were able to identify D’Angelo as the likely suspect. He was arrested in May of 2018 and pleaded guilty. He was sentenced to life in prison in August 2020.

The identification of D’Angelo via GEDMatch began a new initiative in law enforcement seeking to solve cold cases. Since the identification of the Golden State Killer, many other cold cases have been solved using forensic genetic genealogy.

[Related: How Law Enforcement is Using Genealogy Testing Services to Solve Cold Cases]

Privacy concerns on behalf of ancestry site users have paralleled this advancement in crime-fighting. Many people have raised concerns about law enforcement, pharmaceutical and insurance companies, or other government agencies gaining access to their genetic profile and using it for alternative reasons.

How Safe Is a Person’s DNA Data on GEDMatch?

When a user uploads his DNA results to GEDMatch, those results are converted to a different, coded format and the user is provided a corresponding kit number. The reason for this is twofold: One, the coded format eliminates the risk of having users’ actual DNA code online; two, it facilitates ease of use for the website’s software. Once converted, the original profiles are deleted. The passwords all users create for their login are also automatically encrypted so that site managers and owners cannot view the original password of any user.

There is no method available on the site that allows someone else to download the DNA profile of a user. Additionally, when enrolling for access to GEDMatch, registrants are given a choice of four levels of privacy: Private, Research, Public + Opt Out, and Public + Opt In. Users may change their privacy preference at any time.

Public + Opt In is the most open access, in which a user’s profile can be compared to any other user profile on the site; This includes the use of GEDMatch by law enforcement for investigative purposes. Currently, there are approximately 280,000 users who have “opted in” on the site.

Details of the GEDMatch Breaches

An investigation of the breaches revealed that no user DNA information was stolen or altered. In the first breach, it appears the only action the hackers took was to reset all users’ privacy preferences to “Public + Opt In.” As a result, all 1.45 million coded DNA profiles were temporarily available for genetic matching for any other GEDMatch user, including law enforcement.

However, there is no indication that any law enforcement agency used the database during the few hours when all profiles were available. In the second breach, the hackers changed all user privacy preferences to “Research,” which allows profiles to be seen only for one-to-one comparison and is a very limited privacy setting.

Following the two breaches, Brett Williams, CEO of GEDMatch’s parent company, Verogen Inc., issued a statement which read in part: “We can assure you that your DNA information was not compromised, as GEDMatch does not store raw DNA files on the site. When you upload your data, the information is encoded, and the raw file deleted. This is one of the ways we protect our users’ most sensitive information.”

In the days following the two breaches, several clients of the MyHeritage site, a genealogy website based in Israel, reported phishing attacks in which they were sent malicious emails with the intent to obtain their login information for the site. It’s been suggested that the phishing scam hackers wanted to obtain users’ email addresses via the GEDMatch breach; however, that has not been proven.

As of July 21, 2020, 16 users had fallen victim to this scam, unwittingly providing their MyHeritage login information to a malicious party. This, in turn, may have allowed the hackers to access users’ profiles on the MyHeritage site, changing privacy settings, or obtaining other personal information.

Fortunately, MyHeritage was alerted minutes after the scam began and took immediate security actions to protect all user data and login information. It is possible a similar phishing scam may occur in the future, targeting users of 23andMe and Ancestry, which could result in the theft of more login credentials or personal information.

Possible Motives Behind the Attack

No one has claimed responsibility for the breaches of GEDMatch. Therefore, we can’t be sure of their purpose in illegally accessing the website. However, several possible motives exist. The hackers may have had a desire to discredit GEDMatch and its parent company to create privacy fears among users and to discourage people from using the company’s genetic genealogy resources.

An alternate purpose may have been to obtain user email addresses to send phishing emails in an attempt to gain access to the personal computers or accounts of those users. It is also possible the hackers simply wanted to prove that they could crack the website security measures and had no other malicious intent.

Potential Fallout of the Breach

There are several consequences, however, that might be observed in coming months as a result of the breaches. The most serious one would result in fewer DNA profiles being available in GEDMatch and other genetic genealogy sites. Although one’s DNA profile cannot be obtained from any genealogy site, doubt still exists among many skeptics. A reduction in available DNA profiles would likely decrease the ability of law enforcement agencies to use genealogy sites to solve cold cases. This, in turn, could lead to a reduction in clearance rates for unsolved cases and allow more violent criminals to remain free.

The issue whether law enforcement’s use of genealogy sites constitutes a violation of the Fourth Amendment right against unreasonable search and seizure has been greatly debated in recent months. Although users must now provide explicit permission for law enforcement to see their genetic profile, Fourth Amendment issues still persist.

One argument holds that constructing an unknown suspect’s family tree inadvertently identifies innocent people to law enforcement; these are people who have not uploaded their genetic information to any website and who have not granted permission for law enforcement to use their familial relationships to narrow a suspect pool. Breaches of any genealogy website will surely continue to fuel this debate.

Though risks certainly exist in conjunction with the use of any genetic information in an online environment, appropriate security measures have been instituted by GEDMatch and other similar companies. The fact that no actual DNA profiles are stored online combined with users’ ability to fully control their privacy settings should ease the concern of persons interested in genetic genealogy. For many, the benefit of knowing they may have inadvertently helped remove a violent criminal from the streets outweighs the minimal risks of enrolling in a genealogy website.

[Listen to Jennifer Bucholtz’s five-part podcast series on her involvement in solving the cold case of Rebekah Gould.]

About the Author: Jennifer Bucholtz is a former U.S. Army Counterintelligence Agent and a decorated veteran of the Iraq and Afghanistan wars. She holds a Bachelor of Science in criminal justice, Master of Arts in criminal justice and Master of Science in forensic sciences. Bucholtz has an extensive background in U.S. military and Department of Defense counterintelligence operations. While on active duty, she served as the Special Agent in Charge for her unit in South Korea and Assistant Special Agent in Charge at stateside duty stations. Bucholtz has also worked for the Arizona Department of Corrections and Office of the Chief Medical Examiner in New York City. She is currently an adjunct faculty member at American Military University and teaches courses in criminal justice and forensic sciences. Additionally, she is an instructor for the Department of State’s Office of Anti-Terrorism Assistance and a licensed private investigator in Colorado. You can contact her at Jennifer.Bucholtz@mycampus.apus.edu.

Jennifer Bucholtz

Jennifer Bucholtz is a former U.S. Army Counterintelligence Agent and a decorated veteran of the Iraq and Afghanistan wars. She holds a bachelor of science in criminal justice, a master of arts in criminal justice and a master of science in forensic sciences. Bucholtz has an extensive background in U.S. military and Department of Defense counterintelligence operations. Bucholtz has also worked for the Arizona Department of Corrections and Office of the Chief Medical Examiner in New York City. She is currently an adjunct faculty member and teaches courses in criminal justice and forensic sciences. Additionally, she is a sworn civilian investigator for the El Paso County Sheriff’s Department and host of AMU’s investigative podcast Break the Case. You can contact her at Jennifer.Bucholtz@mycampus.apus.edu.

Comments are closed.