The DNA analysis site GEDmatch experienced two security breaches on July 19 and July 20—breaches that indicate a “major lapse in its cybersecurity strategy,” according to a report by SiliconANGLE. Additionally, around one million people’s DNA data was made available to law enforcement without their consent, due to a reset of all users’ permissions during the second breach.
Privacy Breach: GEDmatch controversially allows law enforcement to access private DNA data
On July 22, 2020, GEDmatch admitted that the DNA records of around one million users had been made available to police in the wake of recent data breaches.
DNA profiling companies like GEDmatch are increasingly popular among people wanting to learn more about their family background. However, law enforcement agencies are also pushing for more access to these genetic databases to try to solve crimes with DNA evidence.
According to Techcrunch, GEDmatch does not report on how often its data is requested by law enforcement, in contrast to rival DNA analysis companies like 23andMe and Ancestry.com.
Prior to these July 2020 breaches, GEDmatch had controversially allowed law enforcement to search its database. This practice of acquiescing to government search warrants has been criticized by privacy advocates, including the ACLU.
MyHeritage data breach
Shortly after the GEDmatch data breaches, malicious actors allegedly used the leaked email addresses to mount a phishing attack on users of a different genealogy website, MyHeritage. Buzzfeed News alleges that this phishing attack appeared to target email addresses obtained from GEDmatch. Users of both websites may be at risk.
Regulatory safeguards are “woefully inadequate” to protect DNA data against data breaches
While the rise of affordable DNA analysis technology has brought better knowledge of ancestral heritage and health outcomes to many people, it has also increased the risk of sophisticated fraud. According to an expert cited in SilconANGLE, malicious actors may use DNA data to commit identity theft, insurance fraud and targeted spear-phishing campaigns.
UC Davis School of Law Professor Elizabeth Joh weighed in on GEDmatch’s data breaches to TechCrunch:
“A privacy breach in a genetic genealogy database underscores the woefully inadequate regulatory safeguards for the most sensitive of information, in a novel arena for civil liberties. It’s a mess.”
Our Firm's Winning Data Breach and Privacy Expertise
Gibbs Law Group is a leader in emerging litigation involving consumer privacy and data security. Our data breach and privacy team has achieved groundbreaking reforms and recovered hundreds of millions of dollars for plaintiffs in cutting-edge, high-profile cases, including lawsuits against Equifax, Anthem, Adobe, VIZIO, Lenovo, and Banner Health. Our attorneys helped negotiate record-breaking settlements, including the $1.5 billion Equifax Data Breach settlement and the $115 million Anthem Data Breach settlement. We secured a $17 million settlement in the VIZIO smart TV class action lawsuit that forced VIZIO to delete all of the data it wrongfully collected. Our attorneys were appointed by a federal judge to serve in a leadership position in privacy litigation against Zoom, and we are also pursuing cutting edge privacy issues in litigation against facial-recognition company, Clearview AI.
Eric Gibbs co-founded the American Association for Justice’s Data Breach and Privacy Litigation Group and has been recognized with numerous accolades for his privacy work, including a California Lawyer Attorney of the Year (CLAY) award for the Anthem Data Breach Lawsuit settlement, and has been named a “Top Plaintiff Lawyer in California” by the Daily Journal and a “Cybersecurity and Privacy MVP” and “Consumer Protection MVP” by Law360. In addition, Gibbs Law Group partners Andre Mura and David Berger have been recognized for their data breach and privacy expertise. Andre Mura was honored as one of the Top Cybersecurity/ Privacy Attorneys Under 40 by Law360 and David Berger is the current chair of the American Association for Justice’s Data Breach and Privacy Litigation Group, contributes to a data privacy think tank, and consults with state and federal legislators on data breach and privacy issues.
Our Privacy Attorneys
Gibbs Law Group is a California-based law firm committed to protecting the rights of clients nationwide who have been harmed by corporate misconduct. We represent individuals, whistleblowers, employees, and small businesses across the U.S. against the world’s largest corporations. Our award-winning lawyers have achieved landmark recoveries and over a billion dollars for our clients in high-stakes class action and individual cases involving consumer protection, data breach, digital privacy, and federal and California employment lawsuits. Our attorneys have received numerous honors for their work, including “Top Plaintiff Lawyers in California,” “Top Class Action Attorneys Under 40,” “Consumer Protection MVP,” “Best Lawyers in America,” and “Top Cybersecurity/ Privacy Attorneys Under 40.”
About Gibbs Law Group
Share this on: