The leak of a database of the data of customers of Apple HealthKit and Google FitBit providers, alongside a number of different manufacturers of health tracker merchandise, has highlighted as soon as once more the crucial significance of securing enterprise databases, and will put greater than 61 million folks – together with an unknown quantity within the UK – susceptible to compromise by opportunistic cyber criminals.
The unsecured, 16.7GB database, which was left uncovered to the general public web with out password safety, was uncovered by Web site Planet and safety researcher Jeremiah Fowler, and is owned by GetHealth, a New York-based supplier of well being information providers.
Information factors uncovered within the leak included names, dates of start, weight, top, gender and placement. Affected people are situated everywhere in the world, stated Fowler, who uncovered the database on 30 June 2021, in line with ZDNet.
“I instantly despatched a accountable disclosure discover of my findings and acquired a reply the next day thanking me for the notification and confirming that the uncovered information had been secured,” he stated.
Fowler stated it was unclear how lengthy the information data had been uncovered, or whether or not or not that they had been accessed by malicious actors, nor did he indicate any wrongdoing by GetHealth, its clients or companions.
“We’re solely highlighting our discovery to lift consciousness of the risks and cyber safety vulnerabilities posed by IoT [internet of things], wearable units, health and well being trackers, and the way that information is saved,” he stated.
Whereas most house owners of wearable units may be tempted to imagine that no cyber legal may presumably be fascinated about their day by day step rely, this isn’t essentially the case. For instance, such data may theoretically be used to trace the actions of somebody who walks their canine on the identical time day by day and due to this fact when they’re unlikely to be at dwelling.
Though it’s in all probability unlikely that the common burglar would go to such lengths to focus on a sufferer, Fowler identified that as wearable know-how is developed and iterated, units gather increasingly intimate information that may very well be extra invaluable to malicious actors. For instance, they might use information on individuals who have set weight reduction targets to focus on them with phishing emails utilizing weight-reduction plan or private coaching plans as a lure.
Commenting on the incident, ProPrivacy’s Hannah Hart urged customers of fitness-tracking apps and units to examine their privateness settings instantly, and be vigilant towards attainable follow-on incidents.
“Whereas wearable units have made it that a lot simpler to trace our weight, sleep patterns, and even our relationship with alcohol – we hardly need this data to be extensively accessible as an individual’s well being historical past ought to be completely confidential,” she stated. “Whereas GetHealth has since secured the affected database, it’s apparently but unclear who may need had entry to the beforehand unsecured database and for the way lengthy.”
Comforte AG’s Trevor Morgan stated the fast rise and improvement of health trackers mirrored the truth that folks get pleasure from monitoring their very own progress in direction of their targets.
“The ‘quantified self’ motion not solely gained traction however went from zero to 100mph in a short time,” he stated. “In fact, this information in the end winds up in repositories, permitting us to analyse that data from many alternative angles after which carry out historic comparisons as time goes on. That’s lots of private information a couple of extremely delicate matter most of us are hoping is saved wholly safe.”
Morgan stated the incident highlighted the necessity for information duty, safety and privateness to be baked into organisational cultures, and famous that it additionally highlights one other sturdy argument for transferring away from conventional safety strategies, comparable to passwords, perimeter safety and easy strategies of knowledge entry administration. Adopting data-centric safety insurance policies can go a way in direction of lowering the chance, he stated, whereas tokenising key information parts might help to make sure information can’t be exploited by the improper individual if it does leak.
“On the finish of the day, utilising as many safety strategies as attainable is the precise strategy to go,” he stated. “The choice is an train in incident administration and the accompanying destructive fallout – and that’s essentially the most punishing exercise of all for any enterprise.”
From a compliance standpoint, ProPrivacy’s Hart stated the incident highlighted wider privateness considerations round wearable know-how itself. Within the US, for instance, federal regulation protects well being information from being disclosed with out affected person consent underneath the Well being Insurance coverage Portability and Accountability Act (HIPAA) of 1996.
“HIPAA laws would often defend this information, however because the data collected by wearables isn’t thought-about PHI [protected health information] until shared with a health care provider or hospital, some firms could possibly promote or share it with third events,” she stated.