Fitbit, Apple fitness tracker data exposed on unprotected database
A database that was not password protected exposed more than 61 million records containing data from fitness trackers and wearables, according to a breach report by WebsitePlanet and security researcher Jeremiah Fowler.
Fowler and WebsitePlanet’s research team found many of the exposed records contained information like first and last name, display name, birthdate, weight, height, gender and geolocation data.
In a limited sample of around 20,000 records, Fowler wrote that popular wearable Fitbit appeared as a source more than 2,700 times, and Apple Healthkit was shown as a source more than 17,700 times.
But other apps or wearables could have been affected, Fowler wrote. The database came from GetHealth, a New York City-based company that provides an API for wearables. It also pulls data from sources like 23andMe, Daily Mile, FatSecret, GoogleFit, Microsoft and Android Sensor.
Fowler said he sent a disclosure notice of his findings to GetHealth, and the company notified him the next day that the database had been secured.
“We are not implying any wrongdoing by GetHealth, their customers or partners. Nor are we implying that any customer or user data was at risk. We were unable to determine the exact number of affected individuals before the database was restricted from public access,” he wrote.
“We are only highlighting our discovery to raise awareness of the dangers and cybersecurity vulnerabilities posed by IOT [internet of things], wearable devices, fitness and health trackers, and how that data is stored.”
WHY IT MATTERS
Wearables and other fitness tracking devices have gone mainstream. About 21% of U.S. adults say they regularly wear a smartwatch or fitness tracker, according to a Pew Research survey conducted in 2019.
In his report, Fowler notes many fitness trackers are tied to profiles where users are encouraged to input personal information, which could make it easier to identify the person behind the data in the event of a breach.
“Most wearable users think that no cybercriminal is interested in how many steps they take or how long they sleep, but this is a mistake to ignore how your data is used or shared. All data is valuable and as the technology of wearables expands, so does the types and accuracy of data that is collected on users,” he wrote.
“A simple step counter or pedometer is relatively harmless, while some wearable devices can identify more detailed information such as your heart rate or body mass index and much more. In theory the detailed information that fitness trackers collect on millions of users can provide an overall portrait of these individuals and their general health.”
THE LARGER TREND
Healthcare data breaches are on the rise, according to a report by risk protection services vendor Constella Intelligence. Though the healthcare sector made up only 3% of breaches in 2020, the industry saw a 51% increase in the total volume of records exposed compared with the previous year.
Healthcare data is also valuable to hackers. A Trustwave study commissioned in 2017 found a healthcare record for one person cost an average of $250, significantly higher than credit card information, which cost $5.40.