This afternoon, it was confirmed that GEDmatch, the DNA analysis site best known for catching the Golden State Killer, has experienced a data breach that caused user profiles to become available to law enforcement searches. Typically, the site allows users to opt-in for their DNA to be included in police searches, but this breach changed these settings on user accounts without their permission.
This breach is particularly alarming due to the highly sensitive nature of the data users entrusted to the platform. A person’s DNA profile is unique and unchangeable, and customers’ data was shared without their consent. Additionally, the attack sheds light on how hackers have become more creative with their motives, targeting organizations not only for monetary gain but also for powerful information.
Even more alarming is that GEDmatch was breached twice over the course of two days, revealing a major lapse in their cybersecurity strategy. An active approach for quantifying the performance of defenses in the face of known adversary behavior is imperative. This should include continuous testing of security environments to address defensive gaps before they can be exploited by an adversary.