Another day, another data breach – This time, a plastic surgery technology company has leaked highly sensitive data and as usual, victims of the breach are unsuspecting customers.
About a month ago on 24 January, a team of researchers from vpnMentor discovered a new data breach that led to the media data of thousands of plastic surgery patients to be exposed – The details of it have been only shared recently by vpnMentor.
To discover how this happened, let’s look at NextMotion, a company found in 2015 that provides over 170 clinics globally with a variety of services including data management, digitalization of all documentation and patient records, marketing, photography & videography.
To achieve this, it has to store thousands of images online which are confidential and even may involve specific body parts making these records even more sensitive. It does so via its own proprietary software with the claim that “all your data is covered with the highest requested security level” in compliance with the GDPR regulation and other laws.
However, a look at its database on Amazon Web Services (AWS) revealed the very opposite. Within an S3 bucket, it was found completely insecure without any access control mechanism whatsoever making Trump’s security measures on his iPhone look great.
Since the database was named after the company itself, it did not take long to find out who owned it as well. This, according to vpnMentor’s blog post allowed its research team to access “almost 900,000 individual files” comprising of images (both profile and body,) videos including “360-degree body and face scans,” invoices and treatment proposals.
Another example of a profile image of a patient found in the database:
Although the origins of these images are unknown, third-party with malicious intent can use them to identify patients’ faces. Moreover, certain personally identifiable information (PII) was also found in the exposed invoices which could be used to target the victims using social engineering techniques such as phishing.
To put matters into perspective, the breach was reported to NextMotion on the 27th of January and then to AWS on the 30th of January leading it to be fixed by 5th February. Furthermore, the company has also been issuing updates on its website about an ongoing investigation and has apologized for the shortcoming found in its security.
In the long term though, it may lose key customers who would not be so fond of partnering with a company that compromises its end users. If you’re a customer of any such clinic, it is recommended that you seek information from their management on how your data is being handled to avoid becoming a victim.
On the other hand, if you happen to use AWS or any other cloud-based solution for your business, you should always make sure your databases are private, have two-factor authentication in place and are configured with best practices recommended by vendors.