The leak of a database of the data of customers of Apple HealthKit and Google FitBit providers, alongside a number of different manufacturers of health tracker merchandise, has highlighted as soon as once more the essential significance of securing enterprise databases, and will put greater than 61 million folks – together with an unknown quantity within the UK – prone to compromise by opportunistic cyber criminals.
The unsecured, 16.7GB database, which was left uncovered to the general public web with out password safety, was uncovered by Web site Planet and safety researcher Jeremiah Fowler, and is owned by GetHealth, a New York-based supplier of well being information providers.
Information factors uncovered within the leak included names, dates of delivery, weight, top, gender and site. Affected people are positioned all around the world, stated Fowler, who uncovered the database on 30 June 2021, in accordance with ZDNet.
“I instantly despatched a accountable disclosure discover of my findings and acquired a reply the next day thanking me for the notification and confirming that the uncovered information had been secured,” he stated.
Fowler stated it was unclear how lengthy the info data had been uncovered, or whether or not or not they’d been accessed by malicious actors, nor did he indicate any wrongdoing by GetHealth, its prospects or companions.
“We’re solely highlighting our discovery to boost consciousness of the risks and cyber safety vulnerabilities posed by IoT [internet of things], wearable units, health and well being trackers, and the way that information is saved,” he stated.
Whereas most homeowners of wearable units could be tempted to imagine that no cyber prison might presumably be considering their each day step depend, this isn’t essentially the case. For instance, such info might theoretically be used to trace the actions of somebody who walks their canine on the identical time each day and due to this fact when they’re unlikely to be at house.
Though it’s most likely unlikely that the common burglar would go to such lengths to focus on a sufferer, Fowler identified that as wearable know-how is developed and iterated, units gather increasingly more intimate information that could possibly be extra worthwhile to malicious actors. For instance, they may use information on individuals who have set weight reduction objectives to focus on them with phishing emails utilizing food regimen or private coaching plans as a lure.
Commenting on the incident, ProPrivacy’s Hannah Hart urged customers of fitness-tracking apps and units to examine their privateness settings instantly, and be vigilant in opposition to attainable follow-on incidents.
“Whereas wearable units have made it that a lot simpler to trace our weight, sleep patterns, and even our relationship with alcohol – we hardly need this info to be extensively accessible as an individual’s well being historical past ought to be totally confidential,” she stated. “Whereas GetHealth has since secured the affected database, it’s apparently but unclear who may need had entry to the beforehand unsecured database and for the way lengthy.”
Comforte AG’s Trevor Morgan stated the fast rise and improvement of health trackers mirrored the truth that folks take pleasure in monitoring their very own progress in direction of their objectives.
“The ‘quantified self’ motion not solely gained traction however went from zero to 100mph in a short time,” he stated. “After all, this information finally winds up in repositories, permitting us to analyse that info from many alternative angles after which carry out historic comparisons as time goes on. That’s a whole lot of private information a few extremely delicate subject most of us are hoping is saved wholly safe.”
Morgan stated the incident highlighted the necessity for information duty, safety and privateness to be baked into organisational cultures, and famous that it additionally highlights one other sturdy argument for shifting away from conventional safety strategies, reminiscent of passwords, perimeter safety and easy strategies of knowledge entry administration. Adopting data-centric safety insurance policies can go a way in direction of decreasing the danger, he stated, whereas tokenising key information parts may help to make sure information can’t be exploited by the incorrect individual if it does leak.
“On the finish of the day, utilising as many safety strategies as attainable is the appropriate solution to go,” he stated. “The choice is an train in incident administration and the accompanying unfavorable fallout – and that’s essentially the most punishing exercise of all for any enterprise.”
From a compliance standpoint, ProPrivacy’s Hart stated the incident highlighted wider privateness considerations round wearable know-how itself. Within the US, for instance, federal legislation protects well being information from being disclosed with out affected person consent beneath the Well being Insurance coverage Portability and Accountability Act (HIPAA) of 1996.
“HIPAA rules would normally shield this information, however because the info collected by wearables isn’t thought of PHI [protected health information] except shared with a physician or hospital, some corporations might be able to promote or share it with third events,” she stated.