Thousands of plastic surgery patients had their before-and-after photos accidentally exposed on the internet due to an unprotected server.
As security researchers Noam Rotem and Ran Locar revealed today, the open database carried almost 900,000 files on plastic surgery patients, likely from across the globe. "These included highly sensitive images, video files, and paperwork relating to plastic surgery, dermatological treatments, and consultations," the researchers wrote in a post on vpnMentor, a VPN review site.
Rotem and Locar quickly sourced the database back to the French company NextMotion, which offers an "all-in-one" software platform to help plastic surgery clinics manage their patients. The company's clients include more than 170 clinics in 35 countries. But for some reason, NextMotion stored all the collected information in an Amazon Web Services S3 online storage bucket with no password protection.
Whether anyone else found the open database is unclear. But in the wrong hands, the exposed information could have been abused to commit blackmail against the affected patients.
"Many more images were not just sensitive but also very graphic. Our team viewed close-up photos of women's exposed breasts and genitals, including images taken immediately following a surgical procedure," the researchers wrote. "Such photos being released into the public domain would be devastating for the women affected."
The researchers uncovered the exposed database last month as part of a"web mapping project." They then reported their findings to NextMotion, which has since secured the database.
"We immediately took corrective steps and this same company formally guaranteed that the security flaw had completely disappeared," NextMotion CEO Emmanuel Elard wrote in a statement on the company's website. Why the database was left unsecure is unknown. Elard told PCMag: "We are still investigating internally about what could happen to lead until this such data exposure. At this moment we have started a deep analysis and audit regarding our security processes with a certified company."
Unfortunately, it probably won't be the last time you hear about a database accidentally leaking people's sensitive information on the internet. Many companies rely on cloud servers to easily store information, but they often make the mistake of not securing their servers.
"NextMotion could have easily avoided this leak if it had taken some basic security measures to protect its database," Rotem and Locar wrote. They recommend all companies double check and ensure their servers are secure.
Further Reading More Security Reviews More Security Best Picks