Plastic Surgery Database Exposed: ResearchersFrench Technology Firm's Database Was Unprotected, Report Says
An unsecured database belonging to a French technology firm that supplies video and digital equipment to plastic surgery and dermatology clinics exposed content on 900,000 patients, according to a report from two independent security researchers.
The database belongs to French tech firm NextMotion, according to Noam Rotem and Ran Locar, self-described security researchers and hacktivists, according to their blog post on the site vpnMentor. NextMotion's website says the company has sold hardware and software to 170 clinics in 35 countries.
The two researchers are working on a large-scale web mapping project, using port scanning techniques to look at various known IP blocks and addresses. They were able to access the NextMotion database because it was not password-protected or encrypted, according to the report.
What Was in Database?
In a statement posted on its website, NextMotion says that only media files were exposed and not patient data. "These media are stored in a specific database separated from the patients’ personal data database (names, birth dates, notes, etc.) – only the media database was exposed, not the patients’ database," according to the statement.
A spokesperson for NextMotion could not be reached for comment on Tuesday.
In their report, however, Rotem and Locar say personally identifiable information of patients could be found in invoices and some of the other paperwork stored in the database.
The database was hosted within an Amazon Web Services S3 bucket.
The exposed NextMotion database was first discovered on Jan. 24, and it was password protected by Feb. 5, according to Rotem and Locar. When the two researchers first came across the cloud database, they found thousands of images belonging to patients treated at clinics that used NextMotion's technology, they say in their report.
The research report does not make clear if anyone downloaded or copied the contents of the database during the time it was exposed.
Richard Henderson, head of global threat intelligence at security firm Lastline, notes although it appears that NextMotion made an error by not securing its AWS S3 bucket, it’s not clear if it could be sanctioned under the EU’s General Data Protection Regulation.
"When it comes to GDPR, what happens next isn't going to be crystal clear,” Henderson says. “Most EU states prefer to lean toward educating organizations on best practices around data privacy and protection - but France has shown multiple times in the past that they are not afraid to levy substantial penalties for GDPR violations. The fact that the researchers ethically disclosed the open bucket and the company was quick to respond and plug the leak plays in NextMotion's favor."
Other Exposed Databases
Over the last several years, Rotem and Locar have tracked a number of exposed databases as part of their research project.
In October 2018, for example, the two found 179 GB of unsecured customer data belonging to Autoclerk, which offers cloud-based management systems for web bookings at hotels as well as loyalty programs, payment processing and other services. The exposed data included travel arrangements and other data for U.S. military and other government personnel (see: Unsecure Database Exposed US Military Personnel Data: Report).