A malicious server compromise recently confirmed by DNA investigation services provider GEDmatch serves a reminder of the incident response challenges and privacy ramifications that companies face when they trade in sensitive data – in this case, DNA, the most personal of data – especially when such incidents create unique opportunities for targeted phishing campaigns.
Owned by forensic science and sequencing company Verogen, GEDmatch is used by customers to learn more about their genealogy by comparing autosomal DNA data files between different testing kit providers. But law enforcement members also use the service to aid forensic investigations by matching DNA to samples collected at crime scenes. While users who submit their DNA kit results have the option to opt out of having their data accessible to law enforcement, the July 19 attack apparently changed user permission settings – making all case files potentially reviewable via the GEDmatch website for about a three-hour period.
Tony Kirtley, director, incident commander, at Secureworks, said that when an incident like this happens, the victimized company must remediate the situation, preserve any key forensic evidence and then ask several key questions: “How long was the information exposed? What specific information was exposed? Is there evidence that any un ..
Support the originator by clicking the read the rest link below.
