żěè¶ĚĘÓƵ

Privacy attack on DNA website reveals 93 per cent of a person’s data

One of the world’s biggest genetic genealogy websites, GEDmatch, has a vulnerability that means people’s data could be accessed without their permission
A man in a dark room looking at a screen
Researchers have tested a genetic privacy attack on GEDmatch
FangXiaNuo/Getty Images

A vulnerability found on one of the world’s biggest genetic genealogy websites could leave people’s private data at risk of being accessed without their permission.

At risk are the 1.2 million people who have had a DNA test with other companies and then uploaded their genetic data to GEDmatch, an online database that helps people match segments of their genome with other users to find family members.

Peter Ney and his colleagues at the University of Washington say the service has significant privacy and data issues. The researchers managed to extract most of the and found that this data could be used to create genetically legitimate-looking relatives. This could be used to conduct fraud, they say.

Unlike a paper published last week, which outlined three theoretical ways attackers could try to obtain the genetic data of users of such services, Ney and his colleagues went ahead and tested the method on the GEDmatch site. “It’s important, because with a theoretical attack, there are things that might make that impractical,” says Ney.

The team created five fake accounts on GEDmatch to test their method. To reveal the genetic information linked to the target accounts the team first searched for the associated “kit ID”, which is an identifying code that links the account to any genetic data held about it by the site. This could be found by searching for a user’s email or by some more sophisticated methods.

Once they found the kit ID the team could reveal parts of the target’s genetic data by performing comparisons with other users. This and further analysis was enough for the researchers to identify 93 per cent of the genetic profile of the five targets, including revealing potential indicators of medically sensitive issues.

In a final step, the harvested genetic data was used to create a fake relative of one of the targets. Uploading this to the site prompted GEDmatch to suggest the two accounts had a parent-child relationship. The researchers say a fake relative could be used for fraud, to gain the trust of a target or to damage their reputation.

The GEDmatch site has become known for helping law enforcement agencies solve old criminal cases, including potentially identifying a notorious serial killer. Fake relatives could be inserted into the database to make life harder for law enforcement agents.

Ney says it isn’t for him to say what users of GEDmatch should do, but they should be aware of security issues. He also notes that people concerned about privacy can delete their data from the site. The team will present the research at the Network and Distributed Systems Security  Symposium in San Diego next year.

The study identifies a “clear risk” to the GEDmatch database, according to Graham Coop at the University of California, Davis, who wasn’t involved in the work. “I do worry that [GEDmatch are] not taking these concerns seriously enough. They have over a million people’s genetic data and they have placed these data at risk, which is incredibly concerning.”

The risks could be easily solved by limiting genetic data uploads to DNA test results that are authenticated or digitally signed, says Ney. Better checks on uploads to detect anomalies, and restrictions on one-to-one comparison searches would help too, he says. His team alerted GEDmatch to the vulnerabilities before publishing and took measures to avoid exposing anyone’s identity.

Curtis Rogers at GEDmatch says: “We are concerned about security and appreciate they have pointed out vulnerabilities.” He says the site has made several changes to address the vulnerability and is working on others, but didn’t specify what measures.

Topics: DNA / Genetics