GEDmatch owners Verogen bought by QIAGEN for US $150 million

Thanks to Debbie Kennett via Twitter (@DebbieKennett) for flagging up that GEDMatch owners Verogen have just been acquired by a Dutch company called QIAGEN for US $150 million. The full press release is at https://corporate.qiagen.com/English/newsroom/press-releases/press-release-details/2023/QIAGEN-Completes-Acquisition-of-Verogen-Strengthening-Leadership-in-Human-ID--Forensics-With-NGS-Technologies/default.aspx.

The press release notes the following on the acquisition with regards to the further development of the company's forenisc services:

Human identification DNA techniques have evolved greatly over the past few decades, helping to meet huge challenges like in the aftermaths of wars and natural disasters, as well as to support advances in criminal justice. As just one example, the International Commission on Missing Persons in the Netherlands to date has profiled more than 44,000 bone samples and made more than 18,000 identifications – all processed using QIAGEN chemistry and kits.

However, the limitations of today’s broadly used workflows based on short-tandem-repeat (STR) analyses using capillary electrophoresis (CE) technology impede matches in an estimated 60-85% of traditional searches. This has resulted in a backlog of about 1 million unsolved cases in the U.S. alone.

Law enforcement, military and other forensic experts around the world increasingly look to NGS for its unprecedented genetic insights, such as allowing investigators to infer unique attributes like hair and eye color and biogeographical ancestry.

Verogen’s sequencing and analysis solutions are designed for use on the MiSeq FGx® Sequencing System from Illumina, Inc. With this acquisition, QIAGEN gains exclusive distribution rights for this version of the MiSeq sequencer designed specifically for forensics applications. More than 300 MiSeq FGx Sequencing Systems have been placed to date, marking a strong entry into this market segment. The Verogen portfolio of kits for use on this sequencer includes the ForenSeq suite of kits including DNA Signature Prep, Imagen, Kintelligence and MainstAY product lines, all providing forensics experts with better answers to help solve the most complex unresolved cases.

Chris 

My new book Tracing Your Irish Ancestors Through Land Records is now available to buy at https://bit.ly/IrishLandRecords. Also available - Sharing Your Family History Online, Tracing Your Scottish Family History on the Internet, Tracing Your Irish Family History on the Internet (2nd ed), and Tracing Your Scottish Ancestry Through Church and State Records - to purchase, please visit https://bit.ly/ChrisPatonPSbooks. Further news published daily on The Scottish GENES Facebook page, and on Twitter @genesblog.

GEDMatch updates terms of service and privacy policy

GEDMatch (www.gedmatch.com) is updating its terms of service and privacy policy. The following was received earlier by email:

Here at GEDmatch, we are focused on improving our services and your experience as a user.  We are updating our GEDmatch.com Terms of Service and Privacy Policy to include required disclosures in accordance with applicable privacy laws, to update our payment terms, and to make our policies more transparent and understandable for you. Please be sure to read the full set of updated terms.

The updated terms will go into effect on January 11, 2021. If you continue to use our services on or after January 11, 2021 you are agreeing to the updated terms.  If you don’t agree, you can choose to discontinue using our services and close your account before the updated terms become effective.

The link supplied to the new terms is not working for me, but the site's last update on December 9th 2019 is available at https://www.gedmatch.com/tos.htm, where I am guessing they will appear shortly.

COMMENT: I thought I had deleted my GEDMatch account following its serious data breach in July 2020 (see http://scottishgenes.blogspot.com/2020/07/gedmatch-site-now-back-up-again.html) so I was surprised to receive this message. It appears that I deleted my DNA information and Gedcom from the site, but that the account is still active. I have now emailed Gedcom to ask them to remove me from their system.  

Chris

Pre-order my next book, Sharing Your Family History Online, at https://bit.ly/SharingFamHist. My book Tracing Your Scottish Family History on the Internet, at http://bit.ly/ChrisPaton-Scottish2 is also out, as are Tracing Your Irish Family History on the Internet (2nd ed) at http://bit.ly/ChrisPaton-Irish1 and Tracing Your Scottish Ancestry Through Church and State Records at http://bit.ly/ChrisPaton-Scotland1. Further news published daily on The Scottish GENES Facebook page, and on Twitter @genesblog.

Gedmatch site now back up again

Gedmatch (www.gedmatch.com) is now back up and running again, following its recent decision to temporarily take the site down after a fairly serious privacy breach (see https://scottishgenes.blogspot.com/2020/07/gedmatch-fiasco-continues.html and https://scottishgenes.blogspot.com/2020/07/myheritage-platform-attack-possibly.html). The following message is available at the top of the page:

We have completed a thorough review of the site for security vulnerabilities and have made changes where appropriate to ensure the security of your data. If you note any issues that are of concern, please submit a request tracker ticket for resolution. For our Tier 1 members we will be extending your membership by 1 week. 

Comment: I have now finally been able to delete my account.

Chris

My next 5 week Scottish Research Online course starts August 31st - see https://www.pharostutors.com/details.php?coursenumber=102. My book Tracing Your Scottish Family History on the Internet, at http://bit.ly/ChrisPaton-Scottish2 is now out, also available are Tracing Your Irish Family History on the Internet (2nd ed) at http://bit.ly/ChrisPaton-Irish1 and Tracing Your Scottish Ancestry Through Church and State Records at http://bit.ly/ChrisPaton-Scotland1. Further news published daily on The Scottish GENES Facebook page, and on Twitter @genesblog.

MyHeritage phishing attack possibly related to Gedmatch breach

Email received this morning from Gedmatch (www.gedmatch.com):

Dear GEDmatch member,

On the morning of July 19, GEDmatch experienced a security breach orchestrated through a sophisticated attack on one of our servers via an existing user account. We became aware of the situation a short time later and immediately took the site down. As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt-in for law enforcement matching were available for law enforcement matching, and, conversely, all law enforcement profiles were made visible to GEDmatch users.

On Monday, July 20, as we continued to investigate the incident and work on a permanent solution to safeguard against threats of this nature, we discovered that the site was still vulnerable and made the decision to take the site down until such time that we can be absolutely sure that user data is protected against potential attacks. It was later confirmed that GEDmatch was the target of a second breach in which all user permissions were set to opt-out of law enforcement matching.

We can assure you that your DNA information was not compromised, as GEDmatch does not store raw DNA files on the site. When you upload your data, the information is encoded, and the raw file deleted. This is one of the ways we protect our users’ most sensitive information.

Further, we are working with a leading cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures. We expect the site will be up within the next day or two.

We have reported the unauthorized access to the appropriate authorities and continue to work toward identifying the individuals responsible for this criminal act.

Today, we were informed that MyHeritage customers who are also GEDmatch users were the target of a phishing scam. Please remember to exercise caution when opening emails and clicking links. Never provide sensitive information via email. If an email seems suspicious, contact the company in question directly through the phone number or email address listed on their website, not via a reply to the suspicious email. You can reach GEDmatch at gedmatch@verogen.com or (858) 285-4101. At this time, we have no evidence to suggest the phishing scam is a result of the GEDmatch security breach this week. We are continuing to investigate the incident.

Please be assured that we take these matters very seriously. Our Number 1 responsibility is to protect the data of our users. We know we have not lived up to this responsibility this week, and we are working hard to regain your trust. We apologize for the concern and frustration this situation has caused.

Sincerely,

Brett Williams
CEO, Verogen Inc.

And an announcement from MyHeritage (www.myheritage.com), via its blog at https://blog.myheritage.com/2020/07/security-alert-malicious-phishing-attempt-detected-possibly-connected-to-gedmatch-breach/:

We want to alert MyHeritage users about a malicious attempt to steal credentials that we identified several hours ago and is still ongoing.

Perpetrators whose identity is unknown set up a fake website called myheritaqe.com (same as MyHeritage, but with the letter Q instead of the letter G). They started setting up this fake website yesterday, July 20, 2020 according to whois information, which is the date on which this domain was created and registered. They used an anonymity service to hide their identity. They exploited the fact that it’s hard to differentiate between the letters q and g, especially on mobile phones.

We immediately reported this phishing website to GoDaddy.com to have its domain removed and GoDaddy.com are in the process of taking it down. We also reported it to Azure where it is hosted so they could remove it too.

On the fake website, myheritaQe.com, the perpetrators set up a phishing login form to receive login information intended for MyHeritage and harvest the password. The website was made to look like part of the real MyHeritage.com homepage, with all the functionality not working except the fake login. It tries to impersonate the real website.

The perpetrators then started sending a phishing email to email addresses that they apparently compromised from GEDmatch. We don’t know if they emailed (or intend to email) all the users of GEDmatch or only those who uploaded DNA data to GEDmatch that originated from MyHeritage. What we found with all the users they did email, after speaking with these users, is that those users are all using GEDmatch. Because GEDmatch suffered a data breach two days ago, we suspect that this is how the perpetrators got their email addresses and names for this abuse.

One of the users who reported the phishing email had the email copy addressed to another unique name that is not associated with his account on MyHeritage, and that name does not exist on MyHeritage, but it’s the name associated with his account on GEDmatch, which strengthens our suspicion that the account details for phishing were retrieved by the perpetrators from GEDmatch.

The malicious phishing email sent by the perpetrators has the subject “Ethnicity Estimate v2”

For more from the MyHeritage release, including screengrabs of what to expect from the email described, visit https://blog.myheritage.com/2020/07/security-alert-malicious-phishing-attempt-detected-possibly-connected-to-gedmatch-breach/

Chris

My next 5 week Scottish Research Online course starts August 31st - see https://www.pharostutors.com/details.php?coursenumber=102. My book Tracing Your Scottish Family History on the Internet, at http://bit.ly/ChrisPaton-Scottish2 is now out, also available are Tracing Your Irish Family History on the Internet (2nd ed) at http://bit.ly/ChrisPaton-Irish1 and Tracing Your Scottish Ancestry Through Church and State Records at http://bit.ly/ChrisPaton-Scotland1. Further news published daily on The Scottish GENES Facebook page, and on Twitter @genesblog.

Gedmatch fiasco continues

Following the extraordinary developments with Gedmatch (www.gedmatch.com) yesterday (see https://scottishgenes.blogspot.com/2020/07/privacy-breach-at-gedmatch.html) I have been repeatedly trying to get into the site to delete my account. This is the message currently on display:

The gedmatch site is down for maintenance. Currently no ETA for availability. 

There are many issues raised by the alleged privacy breach, but one of them, from a UK and EU perspective, concerns compliance with the rules on GDPR, something explored by Debbie Kennett at https://cruwys.blogspot.com/2020/07/major-privacy-breach-at-gedmatch.html.

Further coverage is also available at https://techcrunch.com/2020/07/19/gedmatch-investigating-dna-profile-law-enforcement/, including a brief statement from Brett Williams, CEO of Verogen the parent company now of Gedmatch - "We are aware of the issue regarding Gedmatch, where user permissions were not set correctly... We have resolved that issue; however, as a precaution, we have taken the site down while we are investigating the actual cause of the error. Once we understand the cause, we will be issuing a more formal statement".

UPDATE: Message from Gedmatch via Facebook:

On the morning of July 19, GEDmatch experienced a security breach orchestrated through a sophisticated attack on one of our servers via an existing user account. We became aware of the situation a short time later and immediately took the site down. As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt in for law enforcement matching were available for law enforcement matching and, conversely, all law enforcement profiles were made visible to GEDmatch users.

This was the extent of the breach. No user data was downloaded or compromised.

We have reported the unauthorized access to the appropriate authorities and continue to work toward identifying the individuals responsible for this violation.

Today, as we continued to investigate the incident and work on a permanent solution to safeguard against threats of this nature, we discovered that the site was still vulnerable and made the decision to take the site down until such time that we can be absolutely sure that user data is protected against potential attacks. We are working with a cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures.

This is clearly disappointing for our company, as user privacy and data security are our top priorities. We apologize to our GEDmatch users and our law enforcement customers for the concern and frustration this situation has caused.
Thank you for your continued support of GEDmatch.

If you have questions, please reach out to us at gedmatch@verogen.com. We will update you as soon as we have more information to share.

(Source: https://www.facebook.com/officialGEDmatch/)

Chris

My next 5 week Scottish Research Online course starts August 31st - see https://www.pharostutors.com/details.php?coursenumber=102. My book Tracing Your Scottish Family History on the Internet, at http://bit.ly/ChrisPaton-Scottish2 is now out, also available are Tracing Your Irish Family History on the Internet (2nd ed) at http://bit.ly/ChrisPaton-Irish1 and Tracing Your Scottish Ancestry Through Church and State Records at http://bit.ly/ChrisPaton-Scotland1. Further news published daily on The Scottish GENES Facebook page, and on Twitter @genesblog.