[BreachExchange] Fitbit, Apple user data exposed in breach impacting 61M fitness tracker records

[Sophia Kingsbury]

https://www.fiercehealthcare.com/digital-health/fitbit-apple-user-data-exposed-breach-impacting-61m-fitness-tracker-records

An unsecured database containing over 61 million records related to fitness
trackers and wearables exposed Apple and Fitbit users' data online.

Researchers with WebsitePlanet and security researcher Jeremiah Fowler
discovered a non-password-protected database that contained tens of
millions of records belonging to fitness tracking and wearable devices and
apps. The unsecured database belonged to GetHealth, which offers a unified
solution to access health and wellness data from hundreds of wearables,
medical devices and apps, according to a WebsitePlanet report posted Monday.

The cybersecurity team discovered the unsecured database June 30, ZDNet
reported.

Fowler said he immediately sent a disclosure notice to the company of the
security findings. GetHealth responded rapidly, and the system was secured
within a matter of hours, ZDNet reported.

Many of the records contained user data that included first and last name,
display name, date of birth, weight, height, gender and geolocation. A
limited sampling of 20,000 records uncovered the majority of the exposed
records were from Fitbit devices and Apple Healthkit. According to
GetHealth’s website, the company can sync health-related data from sources
including 23andMe, Fitbit, Google Fit, Jawbone UP, Microsoft, Sony Lifelog,
Withings, Apple HealthKit and Android Sensor.

"It is unclear how long these records were exposed or who else may have had
access to the dataset," Fowler wrote in the report.

"We are not implying any wrongdoing by GetHealth, their customers or
partners. Nor, are we implying that any customer or user data was at risk,"
he wrote.

The report findings should help raise awareness of the dangers and
cybersecurity vulnerabilities posed by the Internet of Things, wearable
devices, fitness and health trackers and how those data are stored, Fowler
wrote.

The researchers recommend companies and organizations encrypt sensitive
data, enact cyber hygiene practices and conduct penetration testing often.

“Misconfigurations, such as a database without a password, allow attackers
easy access to your systems or data. It’s the equivalent of leaving your
door unlocked or window open," Tim Erlin, vice president of strategy at
cybersecurity company Tripwire, told Fierce Healthcare.

"All organizations should regularly audit their systems for
misconfigurations, especially those systems that are accessible to the
Internet. Even if you’ve deployed systems with a secure configuration to
start, a simple change can give attackers access," he said.

There are currently no clear HIPAA (Health Insurance Portability and
Accountability Act) regulations that apply to wearable technology as long
as the data are used for personal use. However, once the data from a
wearable device or fitness tracker are passed to a healthcare provider or
other institution, they may then be subjected to HIPAA regulations and
HIPAA compliance standards, Fowler noted.

"Wearable devices and smartphones have the technology to collect
patient-generated health data (PGHD) that could expose sensitive health
data, but the regulation seems to be far behind," he wrote.

Most wearable users think that cybercriminals will not be interested in how
many steps they take or how long they sleep. Fowler notes that all data are
valuable, and, as the technology of wearables expands, so do the types and
accuracy of data that are collected on users. The data could be used to
carry out other attacks, to commit fraud or extortion or to obtain more
targeted health information, the researchers wrote in the report.

The data breach, while seeming to be somewhat benign due to the lack of
Social Security numbers or credit card info, actually contains a
significant amount of information that could be useful for criminals,
according to Erich Kron, security awareness advocate at KnowBe4, a provider
of security awareness training.

"The fact that this information, which includes GPS logs of individuals, is
the kind of information that will cause a collective groan of pain from
executive protection teams and physical security practitioners alike. This
information makes it much easier for bad actors to locate where people are
living or staying, and can expose patterns of travel," Kron told Fierce
Healthcare via email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210914/122887db/attachment.html>