Plastic surgery tech firm leaks images of 100,000s of customers

Another day, another data breach – This time, a plastic surgery technology company has leaked extremely sensitive information and as usual, victims of the breach are unsuspecting customers.

About a month ago on 24 January, a team of researchers from vpnMentor discovered a new data transgress that light-emitting diode to the media data of thousands of impressionable operating theater patients to be exposed – The details of it ingest been only joint recently by vpnMentor.

To discover how this happened, let's look at NextMotion, a ship's company found in 2015 that provides over 170 clinics globally with a variety of services including data direction, digitalisation of every certification and patient records, marketing, picture taking & videography.

See: Hackers Leak Thousands of Naked Photos of Plastic Surgery Patients

To achieve this, it has to store thousands of images online which are confidential and smooth may involve specialised body parts fashioning these records even more light-sensitive. It does indeed via its own proprietary software with the claim that "all your data is covered with the highest requested security level" in compliance with the GDPR regularization and other laws.

However, a await at its database on Amazon World Wide Web Services (AWS) revealed the very inverse. Inside an S3 bucket, it was found completely insecure without any admittance control mechanism whatsoever making Trump's security measures on his iPhone look great.

Since the database was onymous after the company itself, it did not take sesquipedalian to get a line WHO owned information technology as well. This, according to vpnMentor's blog Post allowed its inquiry squad to access "almost 900,000 individual files" comprising of images (some profile and body,) videos including "360-stage body and confront scans," invoices and treatment proposals.

An exercise of an invoice recovered in the violate (Persona via vpnMentor)

Another instance of a profile epitome of a patient launch in the database:

Although the origins of these images are obscure, third-party with malicious intent can use them to identify patients' faces. Moreover, certain personally identifiable information (PII) was as wel found in the exposed invoices which could exist used to target the victims using elite applied science techniques such as phishing.

To put matters into perspective, the breach was reportable to NextMotion on the 27th of January and then to AWS on the 30th of January leading it to be fixed by 5th February. Furthermore, the company has also been issuing updates on its internet site about an current investigation and has apologized for the shortcoming found in its security.

See: The Dark Overlord hacks elastic surgery clinic; demands ransom

In the long terminal figure though, it may recede keystone customers who would not be so fond of partnering with a company that compromises its end users. If you'Ra a customer of any so much clinic, it is recommended that you attempt information from their management on how your data is being handled to avoid becoming a victim.

On the other deal, if you happen to use AWS Beaver State any other obnubilate-based solution for your business, you should always make sure your databases are private, have ii-divisor authentication in place and are configured with unexceeded practices recommended by vendors.

Did you enjoy reading this article? Like our page on Facebookand keep an eye on us on Twitter.