GetHealth, a health and wellness data unification solution provider, exposed 61 million fitness-tracking records due to a platform misconfiguration.
The data related to wearable technology and fitness services and platforms, such as Fitbit, Misfit Wearables, Microsoft Band, Strava, and Google Fit. The GetHealth platform misconfiguration was discovered by WebsitePlanet and cybersecurity researcher Jeremiah Fowler; the database was not password protected. The data contained within included names, dates of birth, weight, height, gender, and GPS logs.
Expert Commentary: GetHealth Platform Misconfiguration
Tim Erlin is VP of Strategy at Tripwire.
“Misconfigurations, such as a database without a password, allow attackers easy access to your systems or data. It’s the equivalent of leaving your door unlocked or window open.
All organization should regularly audit their systems for misconfigurations, especially those systems that are accessible to the Internet. Even if you’ve deployed systems with a secure configuration to start, a simple change can give attackers access.
Misconfigured systems aren’t just at risk from attackers, but they often pose a compliance risk as well. Compliance audits can result in fines and other consequences that have a material impact on your business. It may be complex, but understanding which regulations apply to which parts of your environment is a foundational requirement for doing business in today’s data-driven, connected world.”
Erich Kron is a Security Awareness Advocate at KnowBe4.
“This data breach, while seeming to be somewhat benign due to the lack of social security numbers or credit card info, actually contains a significant amount of information that could be useful for criminals. The fact that this information, which includes GPS logs of individuals, is the kind of information that will cause a collective groan of pain from executive protection teams and physical security practitioners alike. This information makes it much easier for bad actors to locate where people are living or staying, and can expose patterns of travel.
Whenever an organization collects data on individuals, it is critically important that the processes are in place to ensure that information is not left unsecured. The data should also be encrypted to protect it from prying eyes in the event there is an issue.”
Josh Rickard is Security Solutions Architect at Swimlane.
“Platform misconfigurations, like those in the GetHealth database, can have long-standing and upsetting repercussions, even after exposed records have been restricted from public access. In this case, 61 million records containing personally identifiable information (PII)–such as names, birthdates, gender, and personal health information–have been exposed to the public and violated victims’ privacy.
Although data exposures such as the GetHealth exposure are becoming increasingly frequent, organizations can prevent similar situations and protect valuable human data by centralizing and automating their current security threat detection, response, and investigation processes into a single platform. The implementation of a SOAR solution allows for real-time security automation to respond to incidents and execute the appropriate security-related tasks. With comprehensive security automation, the chance for human error is eliminated and customers remain protected.”
Thanks to the experts for their thoughts on the GetHealth Platform Misconfiguration. For more, check out the SIEM Buyer’s Guide.
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021
- Panther Labs Releases State of SIEM 2021 Report - September 13, 2021