A malicious server compromise recently confirmed by DNA investigation services provider GEDmatch serves as a reminder of the incident response challenges and privacy ramifications that companies face when they trade in sensitive data – in this case, DNA, the most personal of data – especially when such incidents create unique opportunities for targeted phishing campaigns.
Owned by forensic science and sequencing company Verogen, GEDmatch is used by customers to learn more about their genealogy by comparing autosomal DNA data files between different testing kit providers. But law enforcement members also use the service to aid forensic investigations by matching DNA to samples collected at crime scenes. While users who submit their DNA kit results have the option to opt out of having their data accessible to law enforcement, the July 19 attack apparently changed user permission settings – making all case files potentially reviewable via the GEDmatch website for about a three-hour period.
Alexander Boyd, an associate in the Technology Transactions and Data Privacy practice at the law firm Polsinelli, said that when an incident like this happens, the victimized company must remediate the situation, preserve any key forensic evidence and then ask several key questions: "How long was the information exposed? What specific information was exposed? Is there evidence that any unauthorized persons actually exploited the incident in order to view or acquire sensitive information?" This would presumably include making sure police investigators didn't unintentionally take advantage of access they weren't supposed to have.
"Containment of the damage, root cause analysis, and communications with the appropriate stakeholder groups are parallel workstreams that must be closely coordinated in the early stages of an incident of this nature," added Tony Kirtley, director, incident commander, at Secureworks.
So far, few details have been shared. Verogen said in a breach notification that the incident was the result of a "sophisticated attack on one of our servers via an existing user account." Making matters worse, the company noted that on July 20, "as we continued to investigate the incident and work on a permanent solution to safeguard against threats of this nature, we discovered that the site was still vulnerable and made the decision to take the site down until such time that we can be absolutely sure that user data is protected against potential attacks."
"...I suspect that a web site administrator performed actions that he or she thought fixed the problem, but the fix was not validated," said Kirtley. "In incidents like this, companies must use change management principles to provide review of proposed containment measures, and follow up with a validation that the change was effective. A penetration test is the best way to validate changes such as this."
As of mid-day July 24 (Eastern Time), the GEDmatch website was still offline, with no ETA for availability.
Link to Phishing Scam Targeting MyHeritage?
Verogen attests that no user data was downloaded or compromised, and a lead genealogist with Parabon NanoLabs reportedly told BuzzFeed that her team, which is responsible for helping police with the majority of DNA-based criminal identifications, was not using the GEDmatch during the incident's time frame.
However, the operators online genealogy website MyHeritage are claiming that attackers may have used email accounts stolen from GEDmatch to launch a credential phishing campaign against GEDmatch users who had had their DNA tested through the MyHeritage service.
In a security alert, MyHeritage warned that unknown perpetrators on July 20 established a fake website with a lookalike domain, myheritaqe.com, and sent phishing emails to that advertise an "Ethnicity Estimate" service while also suggesting there was a "DNA match" found.
"What we found with all the users they did email, after speaking with these users, is that those users are all using GEDmatch," said the alert. "Because GEDmatch suffered a data breach [on July 19], we suspect that this is how the perpetrators got their email addresses and names for this abuse."
In a statement, GEDmatch said at this time there was "no evidence to suggest the phishing scam is a result of the GEDmatch security breach this week." But if this was indeed the case, the scheme shows how a breach at one company can result in additional compromises at additional organizations with whom it has a business relationship. "This means that the perpetrators may launch a similar phishing attack also against Ancestry and 23andMe, because customers of these websites frequently upload their DNA data to GEDmatch as well, and the names and email addresses of these users may have been compromised on GEDmatch too," said MyHeritage, while acknowledging the possibility that GEDmatch's user database may have been stolen in an even earlier intrusion prior to the July 19 and 20 incident.
"Phishing campaigns have grown more sophisticated over the course of the past 18 months, in large part because of the availability of the data leaked via... breaches," making it possible to "identify high value targets, and target phishing scams that reference previous employers, family member names, even purchase history and data gleaned from credit card statements," said Kevin O’Brien, CEO of GreatHorn.
If scammers got their hands on genetic data, or even were able to identify individual email addresses associated with a DNA testing service (which may have been the case here), "we can expect to see more scams” that use lures such as “lost family connections, or the revelation of embarrassing or life-threatening genetic disorder/disease information."
Dr. Rachele Hendricks-Sturrup, health policy counsel at the Future of Privacy Forum (FPF), envisioned a scenario in which a phishing scammer might take information stolen from a company like GEDmatch and fabricate "a fake DNA profile,” that supposedly matches the DNA of a user with a compromised account.
Anurag Kahol, CTO of Bitglass, noted that health care data in general "is a lucrative target for hackers, as the information commands high value on the dark web, up to 10 times more than the average credit card data breach record.” Additionally, “The loss of DNA records and personally identifiable information (PII) could enable malicious actors to commit identity theft, insurance fraud, and targeted spear phishing campaigns."
For that reason, he said, organizations must institute proper data security controls and maintain "full visibility and control over customers’ data by leveraging solutions that enforce real-time access control, detect misconfigurations through cloud security posture management, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent unauthorized users from accessing sensitive data.”
“…DNA information on its own, with current technology, is likely not that valuable to threat actors who are trying to defraud individuals because the effort needed to extract useful information from the DNA is likely very high,” said Boyd. “It is unlikely the exposure of DNA on its own would lead to identity theft unless organizations were to start using DNA as a means of authenticating your identity.”
However, “If a threat actor knew you used a certain platform to test your DNA, that may give their phishing email more legitimacy and increase the chances are you would click on the link,” Boyd continued. “Similarly, if they could tell certain information about you based on your DNA, they may be able to craft phishing emails that are more likely to gain your attention.”
Cynthia Cole, special counsel at law firm Baker Botts, agreed that Boyd that "DNA alone may not be useful," to cybercriminals, but could be used as "part of a larger scheme to exploit personal information, and that is the real problem: all the building blocks of personal information taken together and used and reused by bad actors."
There are potential privacy law and regulatory ramifications at stake as well, particularly now that the California Consumer Privacy Act (CCPA) is actively being enforced. James Carder, chief security officer and VP at LogRhythm,said the GEDmatch incident "will be an implicit test of CCPA and the impact that it and other privacy legislations will have in creating accountability for corporate data and privacy protection."
DNA data presents a significant privacy problem, noted Carder, considering that “a person cannot change their genetic information in the way they could change their credit card number in the event of a breach."
Moreover, said Hendricks-Sturrup, “Genetic information is unique in that once it is exposed, it is not only possible to identify a single person, but also that person's biological relatives. This sort of creates a ripple effect…
Another key question: What if law enforcement prosecute an individual based on a DNA match conducted while the user permission settings were changed?
"While a detailed review of the platform’s privacy policies would need to be examined, providing a user the ability to opt out of law enforcement review at a minimum gives users the expectation that their privacy choice would be respected," said Boyd. "If law enforcement utilized the breach in order to analyze DNA information to which they did not otherwise have the right to access, and law enforcement used that DNA information in a criminal prosecution, it is possible – though not certain – that information could still be admissible despite the fact that a user had opted out of law enforcement review."
"GEDMatch and law enforcement should communicate now to resolve any discrepancies in what law enforcement may have accessed during that time and what GEDMatch users authorized around law enforcement access to their information," said Hendricks-Sturrup.
“Only recently did GEDMatch users receive the option to opt-in to law enforcement access to its users' information. So I think GEDMatch users have a right to ask questions around liability if GEDMatch made promises to employ strong data security practices for its users… If GEDMatch takes necessary steps to resolve the discrepancies I noted... then any harm done to GEDMatch users could potentially be remedied."