An unsecured database has exposed hundreds of thousands of sensitive plastic surgery images.
Researchers at vpnMentor discovered the unsecured Amazon Web Services (AWS) S3 bucket on January, 24.
Fortunately, the database was named after the company, and researchers Noam Rotem an Ran Locar were able to identify NextMotion as the owner. NextMotion is a French plastic surgery tech firm with 170 clinics worldwide in 35 countries.
On the firm’s website it claims that “All your data is 100% secure”, however vpnMentor found otherwise. Researchers were able to access almost 900,000 individual files including extremely sensitive images, videos, and paperwork relating to plastic surgery, consultations and dermatological treatments performed by clinics utilising NextMotion’s technology.
In addition, the private personal data, also exposed, included invoices for treatment, outlines for proposed treatments; patient profile photos (both facial and body), and video files including 360-degree body and face scans.
Many of the images were extremely graphic with some displaying close-ups of women’s exposed breasts and genitals – hence these photos being exposed in the public domain would be very devastating for many of the impacted women.
In a press release, Dr Emmanuel ELARD, CEO of NextMotion explained that only the media database was exposed, not the patients’ database.
“Amazon Web Service warned us on the 30th of January, After internal discussions with Amazon’s support, We immediately took corrective steps on the 4th February. The cybersecurity company formally guaranteed that the security flaw had completely disappeared. This incident only reinforced our ongoing concern to protect your data and your patients’ data when you use the Nextmotion application,” the CEO said.
As NextMotion is located in France, it falls within GDPR and EU’s jurisdiction, and due to protecting patient data, it could face fines or legal actions under GDPR.
“The biggest concern in this leak is the privacy and security issues it would have created for the patients themselves. Aside from the incredibly sensitive and intimate nature of the files exposed, they also made those affected vulnerable to numerous forms of fraud, theft, and online attack,” said vpnMentor.