Tuesday, 21 July 2020

Gedmatch fiasco continues

Following the extraordinary developments with Gedmatch (www.gedmatch.com) yesterday (see https://scottishgenes.blogspot.com/2020/07/privacy-breach-at-gedmatch.html) I have been repeatedly trying to get into the site to delete my account. This is the message currently on display:

The gedmatch site is down for maintenance. Currently no ETA for availability. 

There are many issues raised by the alleged privacy breach, but one of them, from a UK and EU perspective, concerns compliance with the rules on GDPR, something explored by Debbie Kennett at https://cruwys.blogspot.com/2020/07/major-privacy-breach-at-gedmatch.html.

Further coverage is also available at https://techcrunch.com/2020/07/19/gedmatch-investigating-dna-profile-law-enforcement/, including a brief statement from Brett Williams, CEO of Verogen the parent company now of Gedmatch - "We are aware of the issue regarding Gedmatch, where user permissions were not set correctly... We have resolved that issue; however, as a precaution, we have taken the site down while we are investigating the actual cause of the error. Once we understand the cause, we will be issuing a more formal statement".

UPDATE: Message from Gedmatch via Facebook:

On the morning of July 19, GEDmatch experienced a security breach orchestrated through a sophisticated attack on one of our servers via an existing user account. We became aware of the situation a short time later and immediately took the site down. As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt in for law enforcement matching were available for law enforcement matching and, conversely, all law enforcement profiles were made visible to GEDmatch users.

This was the extent of the breach. No user data was downloaded or compromised.

We have reported the unauthorized access to the appropriate authorities and continue to work toward identifying the individuals responsible for this violation.

Today, as we continued to investigate the incident and work on a permanent solution to safeguard against threats of this nature, we discovered that the site was still vulnerable and made the decision to take the site down until such time that we can be absolutely sure that user data is protected against potential attacks. We are working with a cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures.

This is clearly disappointing for our company, as user privacy and data security are our top priorities. We apologize to our GEDmatch users and our law enforcement customers for the concern and frustration this situation has caused.
Thank you for your continued support of GEDmatch.

If you have questions, please reach out to us at gedmatch@verogen.com. We will update you as soon as we have more information to share.

(Source: https://www.facebook.com/officialGEDmatch/)


Chris

My next 5 week Scottish Research Online course starts August 31st - see https://www.pharostutors.com/details.php?coursenumber=102. My book Tracing Your Scottish Family History on the Internet, at http://bit.ly/ChrisPaton-Scottish2 is now out, also available are Tracing Your Irish Family History on the Internet (2nd ed) at http://bit.ly/ChrisPaton-Irish1 and Tracing Your Scottish Ancestry Through Church and State Records at http://bit.ly/ChrisPaton-Scotland1. Further news published daily on The Scottish GENES Facebook page, and on Twitter @genesblog.

No comments:

Post a Comment