An unsecured database of over 61 million records from users around the world related to wearabls and fitness trackers has been published online. The team from the online portal WebsitePlanet and cybersecurity researcher Jeremiah Fowler discovered the non-password-protected data storage device on June 30th.
On Monday (13.9.) reported WebsitePlanet and Fowler now that the database belongs to GetHealth. New York-based GetHealth describes itself as “a holistic solution for accessing health and wellness data from hundreds of wearables, medical devices and apps”. The company’s platform is capable of pulling health-related data from sources such as Fitbit, Misfit Wearables, Microsoft Band, Strava and Google Fit.
WebsitePlanet and Fowler said there were over 61 million records in the database, including large amounts of user information – some of which could be considered sensitive – such as names, dates of birth, weight, height, gender, and GPS logs. In a sample of about 20,000 records, the team found that most of the data sources came from Fitbit and Apple’s HealthKit. “The files also show where the data is stored and a map of how the network works and has been configured from the backend,” they added.
Traces point to GetHealth
References to GetHealth in the nearly 17 gigabyte database indicate that the New York company was the owner. After reviewing the data, Fowler privately shared his findings with the company. GetHealth responded quickly and the records were backed up within a few hours. That same day, the company’s chief technology officer contacted Fowler to inform him that the security problem had now been fixed and thanked him.
“It is unclear how long these records were open or who else had access to the record,” writes WebsitePlanet. “We do not accuse GetHealth, its customers or partners of any wrongdoing. We also do not imply that any customer or user data was at risk. We were not able to determine the exact number of persons affected before opening the database for public access has been blocked. “
Stronger regulation required
Scientists have long been calling for stronger regulation of wearables and other technology worn on and in people. The “internet of the body” raises many ethical questions, according to researchers at the US think tank RAND in a study published in late 2020. Fitness bracelets and smartwatches collected more and more sensitive personal data, which not only undermines privacy. According to the RAND researchers, legislators should therefore lay down requirements relating to the transparency and protection of the sensitive personal information collected.
The US Department of Defense is now banning soldiers from using fitness data trackers and smartphone apps that can reveal location data in operational areas. At the beginning of 2018, the fitness app Strava came under fire because activity maps published by it can reveal the location and use of military bases.