Researchers from vpnMentor have discovered another unsecured database exposing sensitive details about users. As reported, they discovered an unprotected Amazon S3 bucket that contained thousands of plastic surgery images of patients. Further investigation revealed that the database belonged to NextMotion, a French aesthetic industry technology firm
Specifically, there were around 900,000 images that clearly showed patients’ faces. In some instances, the images also displayed patients’ body parts under treatment including private parts.
Apart from these sensitive images, the database also exposed other related information, according to the researchers’ findings. As stated,
Our team had access to almost 900,000 individual files. These included highly sensitive images, video files, and paperwork relating to plastic surgery, dermatological treatments, and consultations performed by clinics using NextMotion’s technology.
Also, the researchers could access video files of scans, outlines for proposed treatments and the respective invoices.
Company Confirms Rectification
Upon discovering the unsecured database, the researchers informed NextMotion of the incident who then addressed the flaw. Recently, the firm has also confirmed the incident while also ensuring rectification of the matter in a press release.
They also explained that the exposed database only included media files. Whereas, the patient’s database remained unaffected.
These media are stored in a specific database separated from the patients’ personal data database (names, birth dates, notes, etc) – only the media database was exposed, not the patients’ database.
They have assured they are taking corrective steps following this report, which the researchers also confirmed.
NextMotion CEO, Dr. Emmanuel Elard, also explained that the investigations are underway. While they remain open to any questions from the patients in this regard.
Let us know your thoughts in the comments.