[Security Weekly] 61 Million Fitness Tracking Records Exposed on Misconfigured Database

cover image

September 2021, Issue II


1. 61 million fitness tracking records exposed on misconfigured database

On September 13, cybersecurity researchers at Website Planet revealed an earlier discovery of a misconfigured database that exposed over 61 million fitness tracking records collected from wearable fitness devices.

The leaky database was first found without any password protection on June 30. After reviewing the data, the researchers identified the owner of the database to be GetHealth, a New York-based company that unifies all fitness data tracked by different wearable devices by collecting them from apps like Google Fit, Apple Health, Microsoft Band, Fitbit, and more.

The exposed data contained sensitive personal information such as names, dates of birth, gender, body measures, GPS logs, and other fitness and health-related data. After some thorough sampling, the researchers found that most data belonged to users of Apple Health and Fitbit.

After being informed of the leak, GetHealth immediately closed off the database within hours. However, it remains unclear whether the data were accessed by any third parties prior to the discovery.

Sources: ZDNet, MobiHealthNews, Fierce Healthcare


2. Singaporean telco MyRepublic suffers data breach following supply chain attack

MyRepublic, a Singapore-based telecommunications provider that serves Singapore, Australia, and New Zealand, disclosed a data breach that impacted 79,338 mobile service customers in Singapore. The breach originated from a cyberattack at an unnamed third-party data storage supplier.

The compromised records contained sensitive personal information used for service registration. This included copies of national identity cards for citizens and proof of residential addresses for non-citizens. MyRepublic suggested that no payment data were compromised and that its operations remained unaffected.

After detecting unauthorized access on August 29, the supplier immediately mitigated the attack. Yet it remains unknown whether the compromised data had been used for malicious activities. MyRepublic is currently contacting all affected customers by email and plans to offer free credit monitoring services.

Sources: Infosecurity, Bleeping Computer


3. South African Department of Justice shuts down following ransomware attack

South Africa’s Department of Justice and Constitutional Development suffered a massive ransomware attack on September 6 which encrypted all IT systems under its network. Restoration operations have been ongoing for over two weeks.

All electronic services were halted for both internal staff members and the public. These include all services offered through the Department’s website and email, issuance of letters of authority, and bail services. The Department added that the monthly child maintenance payments were also put on hold until systems are restored.

It remains unclear who was behind the attack and whether sensitive data were stolen prior to ransomware deployment. It appears that the Department has begun to set up a new email system and started migrating user accounts, a sign that no ransom has been paid.

Sources: Bleeping Computer, IT Web


4. United Nations suffers data breach due to stolen login credentials

An unidentified threat actor exploited a set of stolen login credentials from a United Nations employee to gain access into the organization’s network for a four-month period between April 5 and August 7.

The compromised credentials belonged to an account of Umoja, UN’s proprietary project management software. After gaining access to the account, the hacker leveraged the information found in the account to launch further attacks against a variety of agencies within the UN.

The initially compromised account was said to have no two-factor authentication (2FA) in place, making it the main cause of the incident. Traditional password-based protection is not enough to handle today’s sophisticated attack mechanisms. This is why adopting an identity and access management (IAM) solution like iSIGN+ is essential for all organizations. iSIGN+ not only allows for single sign-on (SSO), but also enables multi-factor authentication (MFA) using advanced technologies such as biometrics and mobile OTPs.

Sources: Threatpost, Infosecurity


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security