The compromised database contained 100,000s of profile images of patients, uploaded via NextMotions proprietary software.
These were highly sensitive, including images of patients faces and specific areas of their bodies being treated.
But rare are these times.
Most often, we need days of investigation before we understand whats at stake or whos leaking the data.
Some affected parties deny the facts, disregarding our research, or playing down its impact.
So, we need to be thorough andmake sure everything we find is correct and accurate.
Based on our teams discovery, however,this was not the case.
Paperwork files for less intense procedures were also exposed, as seen in the next two examples.
Below are examples of patients preparing for procedures on their faces.
This includes screenshots we took from videos we viewed.
The exposed paperwork and invoices also contained Personally Identifiable Information (PII) data of patients.
NextMotion is clearly aware of this.
In doing so, they created a wide range of potential issues.
For NextMotion
Data privacy is not just a critical business concern for companies working in medical industries.
There are serious legal considerations.
This could result in NextMotion losing current clients and affect their planned expansions to new markets.
All of these outcomes could result in long-lasting damage to NextMotion, their reputation, and their revenue.
The following consent form is from one of NextMotions premier clients, a famous clinic in France.
This would also reduce the value of any investment made in NextMotion technology by a clinic.
Similarly to NextMotion,this leak could have had many severe implications for any clinic using their software.
Cybercriminals planted ransomware on clinics servers and demanded ransom for not exposing patients.
They also contacted patients directly with similar demands.
The impact on their relationships, finances, and personal lives would be devastating.
Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.
To learn more about data vulnerabilities and leaks in general,read ourcomplete guide to online privacy.
They investigate each hole for data being leaked.
If possible, we will also inform any other party affected by the breach.
Our team was able to access this database because it was completely unsecured and unencrypted.
The purpose of this web mapping project is to help make the internet safer for all users.
As ethical hackers,were obliged to inform a company when we discover flaws in their online security.
We also never sell, store, or expose any information we encounter during our security research.
This has includedan enormous data leak on Genius,an app built by the French postal service.
You may also want to read ourVPN Leak Report and Data Privacy Stats Report.
They were able to extract videos and photos from some of our patients files.
This data had been de-identified - identifiers, birth dates, notes, etc.
- and thus was not exposed.
We promptly implemented rectifying measures and this very firm officially confirmed that the security vulnerability had been fully eradicated.
This company also contacted the Le Parisien newspaper with whom I spoke this morning.
We stand by you to answer precisely any questions worried patients may have.
kindly accept my sincere apologies for this fortunately minor incident."
[Publication date: 14.02.2020]
kindly, comment on how to improve this article.
