Topics

Data Breach at GEDmatch has Concerns Over Privacy #dna #announcements


Janice Brockman
 

I don't post here much at all - but If you are concerned about GEDmatch, you should be more concerned about using outlook.com Here is a link -   Janice Brockman - April, 2019 - https://www.techrepublic.com/article/hackers-accessed-outlook-com-users-emails-how-to-secure-your-personal-information/ -  ........Microsoft notified users of Outlook.com of a security breach that exposed account information on Friday,  ........."This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with)  ........ Microsoft confirmed to ZDNet that around 6% of those who received a notification have had the content of their accounts accessed by hackers  ........    Similarly, the length of the breach is unclear--Microsoft claims only three months, though a report from Motherboard indicates it was "up to six months," with hackers using account access to reset iCloud accounts linked to stolen iPhones.  ....... Second, consider not using Outlook.com. In 2013, The Guardian reported that Microsoft provides pre-encryption access to messages sent through the service to the NSA, and has helped the agency in circumventing encryption for other Microsoft services. Microsoft's recent track record for security and privacy has been rather spotty  


Chuck Weinstein
 

As far as the known facts are concerned, someone hacked into GEDMatches database and changed everyone's privacy settings to public.  A number of unknown matches were injected into the systerm.  It might have been from law enforcement or from somewhere else, but either way, it caused the entire database to be available to anyone who wanted to see it for any reason.  Why, who knows?  We have no idea at this juncture what else may have been compromised, including names, email addresses, etc.

Chuck Weinstein

Bellport, NY
chuck1@...


Bob Silverstein
 

Jeffrey, you made a number of claims without evidence.  I only asked you to cite what has actually happened so we can assess for ourselves the probability and harm of such breaches.  I want to keep this real, not theoretical.  I never said I denied any danger exists as is clear from my posting.

Robert, I think the main differences among organizations is how they raise capital, start-up and ongoing, who takes the risk, and how they distribute profits.  Nonetheless, all organizations have to produce some good to some one to justify their continuance.  


Max Heffler
 

Personal choice. My DNA data has been in many, many sites for well over a decade and the DNA that is there is only a small portion that can identify common relationships. I am not worried that anyone with access to that minuscule bit of information can harm me in any way. Perhaps they can use it to track down and arrest a murderer. I would welcome that.

 

From: main@... [mailto:main@...] On Behalf Of Jx. Gx. via groups.jewishgen.org
Sent: Sunday, August 9, 2020 11:41 PM
To: main@...
Subject: Re: [JewishGen.org] Data Breach at GEDmatch has Concerns Over Privacy #dna #announcements

 

Bob S:

By the nature of your questions to me its pretty clear that you deny any danger exists to genealogist if thieves hack into genealogy sites like GEDMatch or worse yet Ancestry.com (because they have more customers) and steal personal information including DNA data. If the data held by genealogy companies isn't valuable to crooks as you have implied, then how do you explain the data breach at GEDMatch?  And by the way, do you really think that private equity is going to spend additional monies to employ a top-notch cyber security team and the latest versions of security software to protect your data when their ultimate goal is to flip their holding?  My questions are all rhetorical.  I completely agree with Robert Roth's response to you when he wrote: "I believe a healthy level of paranoia is warranted in this unknown territory." 


--

Web sites I manage - Personal home page, Greater Houston Jewish Genealogical Society, Woodside Civic Club, Skala, Ukraine KehilalLink, Joniskelis, Lithuania KehilaLink, and pet volunteer project - Yizkor book project: www.texsys.com/websites.html


Jx. Gx.
 

Bob S:

By the nature of your questions to me its pretty clear that you deny any danger exists to genealogist if thieves hack into genealogy sites like GEDMatch or worse yet Ancestry.com (because they have more customers) and steal personal information including DNA data. If the data held by genealogy companies isn't valuable to crooks as you have implied, then how do you explain the data breach at GEDMatch?  And by the way, do you really think that private equity is going to spend additional monies to employ a top-notch cyber security team and the latest versions of security software to protect your data when their ultimate goal is to flip their holding?  My questions are all rhetorical.  I completely agree with Robert Roth's response to you when he wrote: "I believe a healthy level of paranoia is warranted in this unknown territory." 

Jeffrey Gee
Arizona 


rroth@...
 

In response primarily to some of the points raised by Bob Silverstein above:

1. The difference between a privately-held entity and public one is that the private entity ONLY exists to make money, there is no other goal. Whatever they are selling is a means to this one end. A public entity also wants/needs to make money, but at least in theory there is some goal of serving the public. It may be honored in the breach but at least it exists.
3. The laws re insurance companies not using genetic information are only as strong as our wilingness to enforce the law on huge corporations, which in the USA in 2020 is shall we say limited.
4-6. I don't know how this info could be used nefariously, but that doesn't mean some clever crook somewhere will not find a way. I believe a healthy level of paranoia is warranted in this unknown territory.

Robert Roth
rroth@...


Bob Silverstein
 

In response to Jx. Gx.

  1. Why are privately held entities any different than public ones, non-profits and governments when making money?  The ultimate goal of the privates and publics is to maximize the wealth of the shareholder.  For non-profits and governments, do they not want to raise enough money to fund their activities?  All are out to make money.
  2. How many hacks of actual DNA have occurred and what have been their consequences?
  3. How would a hacker use DNA data?  Are not insurance companies prevented by law from using genetic information today?  Do not law agencies need cause?
  4. The DNA used for ethnicity and cousin-finding represents a small portion of the entire human genome.  Is that useful to a hacker?  Likewise for medical genetics and identifying traits.
  5. Does a criminal or government really need my DNA to steal my identity?  Does the Internet, legitimate or the dark web, not already have enough information on me?
  6. Who now uses DNA to identify or confirm the identity of an individual other than for lawful purposes?

I look forward to your response.

Bob Silverstein
bobsilverstein@...


Jx. Gx.
 

I fully understand the emotional desire to connect with long lost relatives through the use of DNA testing.  Aside from the sometimes questionable accuracy of these test results, a much bigger concern is that once you give away your DNA data you lose all control of who has access to it and how it can be used.  Data breaches by rogue states and criminal organizations are a serious danger and we should do everything in our power to protest ourselves. Criminal enterprises are not content with just your DNA. In recent years they have hacked into the Experian credit reports, Home Depot, Target stores, Yahoo.com, the U.S. government's Office of Personnel Management, and many other online sites. Millions of people have been affected. Social media, where people openly post photos of themselves and other personal information is a treasure trove of information for thieves.  When they pull together all the personal information and "connect the dots," they have a person's entire life's history in their hands. They can sell off this information piecemeal to other criminals on the dark web or as an entire package. They can also use this data for their own nefarious purposes. The recent sale of Ancestry to private equity companies should also be of major concern to everyone. The first priority of all equity firms is to make money. Historically, equity companies hold on to their acquisitions until they find a buyer willing to pay them top dollar. That buyer could be China or any other hostile country. These countries could also set up shell companies and buy controlling interest in DNA testing companies. Our personal data is valuable to bad people.  We have to protect ourselves by not making it easy for them to gain access to our information. 


erikagottfried53@...
 

I looked at the New York Times story referenced and read in it with some amusement that GEDMATCH "contacted the F.B.I. to see if the agency would investigate" and "The F.B.I. did not respond to a request for comment."  Why would it, since the F.B.I. is one of the law enforcement organizations that would benefit from broad access to commercial DNA databases, and may even already have done so?

Erika Gottfried
Teaneck, New Jersey


Tockuss1@...
 

Good example why you should think twice of using your DNA for genealogy. I prefer to stick to the traditional ways of research.


Stanley Levine
 

AND even if they did get raw data - so what! What could they do with it?


Adam Cherson
 

According to Gedmatch, they do not keep anyone's raw data on their servers so there is no possibility of the hack having accessed anyone's raw data.


Jan Meisels Allen
 

 

 

GEDMatch, the site some genealogists utilize to match with others from different DNA testing sites has suffered a data breach. While people could opt-out to share their data with law enforcement it found over one million users who had opted not to help law enforcement had been forced to opt-in. GEDmatch changed its policy in May 2019 so that only users who explicitly opted to help law enforcement would show up in police searches. They found two back-to-back hacks which over rode the users settings.

 

According to the owner of GeDMatch owner, Verogen, the first breach occurred early on July 19. After shutting down the site, his team “covered up the vulnerability,” he said, and brought it back online, but only briefly. “On Monday we took the site down again because it was clear the hackers were trying again.”  The site remained down or a week.

 

The giveaway that the matches were not actual relatives was that their DNA was too good to be true, said Leah Larkin, a biologist who runs DNA Geek, a genealogical research company.


To read more see: https://www.nytimes.com/2020/08/01/technology/gedmatch-breach-privacy.html

 

Thank you to Teven Laxer, members IAJGS Public Records Access Committee for sharing the article with us.

 

Jan Meisels Allen

Chairperson, IAJGS Public Records Access Monitoring Committee