Written by Amer Owaida, Security Writer at ESET
Hundreds of thousands of records belonging to plastic surgery patients have been discovered sitting on an unprotected server and accessible for anyone to view. The data were stored on an Amazon Web Services (AWS) S3 bucket database belonging to NextMotion, a plastic surgery technology company that provides imaging solutions to clinics around the world.
Researchers at vpnMentor, who uncovered the leak, were able to access some 900,000 individual records. These ranged from before-and-after images and videos of cosmetic procedures to materials of a highly sensitive nature, including graphic photos of the patients’ private body parts. The origin of the records is not clear but it can be assumed that the leak affected NextMotion clients.
Besides patient facial and body photos, the trove of information included invoices, outlines of proposed treatments, and video files including 360-degree face and body scans. The invoices detailed the medical procedures, their costs, dates when they were performed, and personal information that could help identify patients.
All things considered; the data could allow hackers with malicious intent to create a comprehensive portrait of their potential victims. The patients could then easily become targets of identity theft, phishing, financial fraud or even sextortion, where criminals use intimate material to demand a ransom.
NextMotion CEO Dr. Emmanuel Elard apologized, adding that the issue has been addressed: “Amazon Web Service warned us on the 30th of January. After internal discussions with Amazon’s support, we immediately took corrective steps on the 4th February. The cybersecurity company formally guaranteed that the security flaw had completely disappeared.”
As NextMotion is headquartered in France and offers services in the European Union (EU), it is subject to the EU’s General Data Protection Regulation (GDPR). Although the company’s website states that its technology is GDPR certified, the failure to secure patients’ sensitive data may carry stiff penalties and legal actions.
Misconfigured and unsecured public-facing data repositories have become a common occurrence. In one recent case, thousands of birth certificate applications were stored unprotected on an AWS cloud platform, while another data leak affected almost all of Ecuador’s citizens. These leaks were unintentional, but there have been cases where cosmetic surgery clinics, such as a well-known clinic in London, were targeted by cybercriminals.