Led by Noam Rotem and Ran Locar, vpnMentor’s research team recently discovered a breached database belonging to plastic surgery technology company NextMotion.
Based in France, NextMotion provides clinics working in dermatology, cosmetic, and plastic surgery with digital photography and video devices for their patients. The company was established in 2015 by a team of plastic surgeons and has grown rapidly: It achieved a global presence in 2019, with 170 clinics worldwide in 35 countries.
The compromised database contained 100,000s of profile images of patients, uploaded via NextMotion’s proprietary software. These were highly sensitive, including images of patients’ faces and specific areas of their bodies being treated, says the vpnMentor report.
NextMotion was using an Amazon Web Services (AWS) S3 bucket database to store patient image files and other data but left it completely unsecured, say the researchers. The team had access to almost 900,000 individual files, which included highly sensitive images, video files, and paperwork relating to plastic surgery, dermatological treatments, and consultations performed by clinics using NextMotion’s technology.
The private personal user data the researchers viewed included:
- Invoices for treatments
- Outlines for proposed treatments
- Video files, including 360-degree body and face scans
- Patient profile photos, both facial and body
The origins of the photos and files within the database were not clear at the time of writing, as there’s little information attached to them. This leak possibly affected NextMotion clients (and their patients) around the world, note the researchers. The exposed paperwork and invoices also contained Personally Identifiable Information (PII) data of patients, which can be used to target people in a wide range of scams, fraud, and online attacks. NextMotion’s database posed a real risk to the people exposed, with wide-ranging privacy and security implications for all those involved, warn the researchers.
For more information, visit vpnMentor's report.