A malicious server compromise recently confirmed by DNA investigation services provider GEDmatch serves as a reminder of the incident response challenges and privacy ramifications that companies face when they trade in sensitive data – in this case, DNA, the most personal of data – especially when such incidents create unique opportunities for targeted phishing campaigns.
Owned by forensic science and sequencing company Verogen, GEDmatch is used by customers to learn more about their genealogy by comparing autosomal DNA data files between different testing kit providers. But law enforcement members also use the service to aid forensic investigations by matching DNA to samples collected at crime scenes. While users who submit their DNA kit results have the option to opt out of having their data accessible to law enforcement, the July 19 attack apparently changed user permission settings – making all case files potentially reviewable via the GEDmatch website for about a three-hour period.
Alexander Boyd, an associate in the Technology Transactions and Data Privacy practice at the law firm Polsinelli, said that when an incident like this happens, the victimized company must remediate the situation, preserve any key forensic evidence and then ask several key questions: "How long was the information exposed? What specific information was exposed? Is there evidence that any unauthorized persons actually exploited the incident in order to view or acquire sensitive information?" This would presumably include making sure police investigators didn't unintentionally take advantage of access they weren't supposed to have.
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.