The leak of a database of 61 million users of health-tracking devices contains records on folk positioned within the UK
- Alex Scroxton, Security Editor
Printed: 14 Sep 2021 14: 13
The leak of a database of the records of users of Apple HealthKit and Google FitBit services and products, alongside a lot of alternative brands of health tracker products, has highlighted once extra the important significance of securing endeavor databases, and must quiet put higher than 61 million folks – in conjunction with an unknown amount within the UK – at menace of compromise by opportunistic cyber criminals.
The unsecured, 16.7GB database, which became once left uncovered to the public internet without password protection, became once uncovered by Web internet site Planet and safety researcher Jeremiah Fowler, and is owned by GetHealth, a New York-basically based supplier of health recordsdata services and products.
Recordsdata facets uncovered within the leak incorporated names, dates of birth, weight, height, gender and self-discipline. Affected folk are positioned all around the realm, talked about Fowler, who uncovered the database on 30 June 2021, in step with ZDNet.
“I straight despatched a responsible disclosure sight of my findings and got a acknowledge the next day thanking me for the notification and confirming that the uncovered recordsdata had been secured,” he talked about.
Fowler talked about it became once unclear how long the guidelines records had been uncovered, or whether or no longer or no longer they'd been accessed by malicious actors, nor did he indicate any wrongdoing by GetHealth, its potentialities or partners.
“We're simplest highlighting our discovery to increase awareness of the dangers and cyber safety vulnerabilities posed by IoT [internet of things], wearable devices, health and health trackers, and how that recordsdata is saved,” he talked about.
While most homeowners of wearable devices would be tempted to purchase that no cyber prison would be ready to be attracted to their on each day basis step depend, right here is no longer necessarily the case. For example, such recordsdata would possibly per chance presumably per chance theoretically be inclined to trace the actions of any individual who walks their canine on the identical time on each day basis and therefore after they are unlikely to be at house.
Even supposing it is perchance unlikely that the common burglar would dash to such lengths to target a victim, Fowler identified that as wearable technology is developed and iterated, devices rep extra and extra intimate recordsdata that will most likely be extra treasured to malicious actors. For example, they would possibly per chance presumably per chance also utilize recordsdata on of us that possess internet site weight reduction targets to target them with phishing emails utilizing diet or interior most practising plans as a trap.
Commenting on the incident, ProPrivacy’s Hannah Hart entreated users of health-tracking apps and devices to verify their privacy settings straight, and be vigilant against that you just would possibly per chance perchance presumably per chance be ready to ponder practice-on incidents.
“While wearable devices possess made it that worthy more uncomplicated to trace our weight, sleep patterns, and even our relationship with alcohol – we hardly ever favor this recordsdata to be broadly accessible as an particular person’s health ancient previous must be utterly confidential,” she talked about. “While GetHealth has since secured the affected database, it is it looks to be yet unclear who would possibly per chance presumably per chance also possess had procure admission to to the beforehand unsecured database and for the model long.”
Comforte AG’s Trevor Morgan talked about the swiftly upward push and model of health trackers mirrored the fact that folk revel in tracking their believe development in opposition to their targets.
“The ‘quantified self’ motion no longer simplest obtained traction but went from zero to 100mph in a transient time,” he talked about. “For certain, this recordsdata finally finishes up in repositories, allowing us to analyse that recordsdata from many diversified angles and then make ancient comparisons as time goes on. That’s heaps of interior most info about a extremely sensitive topic most of us are hoping is saved wholly precise.”
Morgan talked about the incident highlighted the necessity for recordsdata accountability, safety and privacy to be baked into organisational cultures, and considerable that it additionally highlights one more precise argument for transferring a long way from extinct protection solutions, equivalent to passwords, perimeter safety and simple solutions of recordsdata procure admission to management. Adopting recordsdata-centric safety policies can dash some formulation in opposition to reducing the menace, he talked about, whereas tokenising key recordsdata aspects can support to construct definite recordsdata can't be exploited by the atrocious person if it does leak.
“At the end of the day, utilising as many protection solutions as that you just would possibly per chance perchance presumably per chance be ready to ponder is the moral formulation to head,” he talked about. “The different is an tell in incident management and the accompanying adverse fallout – and that’s the most punishing workout of fervent with any endeavor.”
From a compliance standpoint, ProPrivacy’s Hart talked about the incident highlighted wider privacy considerations around wearable technology itself. Within the US, let's sing, federal regulation protects health recordsdata from being disclosed without affected person consent beneath the Smartly being Insurance coverage Portability and Accountability Act (HIPAA) of 1996.
“HIPAA regulations would typically provide protection to this recordsdata, but for the reason that recordsdata gentle by wearables isn’t even handed PHI [protected health information] unless shared with a health care provider or clinical institution, some corporations would be ready to promote or fragment it with third events,” she talked about.
Learn extra on Privateness and recordsdata protection
Stories of stolen Irish health provider recordsdata being leaked on-line
By: Alex Scroxton
Ardour in wearable health devices grows despite challenges
By: Makenzie Holland
Pub ‘take a look at-in’ apps provoke fresh privacy considerations
By: Alex Scroxton
Wearables 'a slack burn' but definitely price the channel backing
By: Billy MacInnes