900,000 Files Exposed by Plastic Surgery Technology Provider NextMotion

February 20, 2020

Led by Noam Rotem and Ran Locar, vpnMentor’s research team recently discovered a breached database belonging to plastic surgery technology company NextMotion.

Based in France, NextMotion provides clinics working in dermatology, cosmetic, and plastic surgery with digital photography and video devices for their patients. The company was established in 2015 by a team of plastic surgeons and has grown rapidly: It achieved a global presence in 2019, with 170 clinics worldwide in 35 countries.

The compromised database contained 100,000s of profile images of patients, uploaded via NextMotion’s proprietary software. These were highly sensitive, including images of patients’ faces and specific areas of their bodies being treated, says the vpnMentor report.

NextMotion was using an Amazon Web Services (AWS) S3 bucket database to store patient image files and other data but left it completely unsecured, say the researchers. The team had access to almost 900,000 individual files, which included highly sensitive images, video files, and paperwork relating to plastic surgery, dermatological treatments, and consultations performed by clinics using NextMotion’s technology.

The private personal user data the researchers viewed included:

Invoices for treatments
Outlines for proposed treatments
Video files, including 360-degree body and face scans
Patient profile photos, both facial and body

The origins of the photos and files within the database were not clear at the time of writing, as there’s little information attached to them. This leak possibly affected NextMotion clients (and their patients) around the world, note the researchers. The exposed paperwork and invoices also contained Personally Identifiable Information (PII) data of patients, which can be used to target people in a wide range of scams, fraud, and online attacks. NextMotion’s database posed a real risk to the people exposed, with wide-ranging privacy and security implications for all those involved, warn the researchers.

For more information, visit vpnMentor's report.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

Join our subject matter experts as they explore how the right systems can help identify, analyze and report potential incidents and help building owners sustain compliance and create safer spaces.

Security Magazine

2020 September

This month in Security magazine, we bring you our 2020 Most Influential People in Security annual report, where we highlight 22 industry leaders, their path to security, careers, goals and guidance for future security professionals. Industry experts discuss the evolution of ransomware, houses of worship security, cybersecurity standards, security careers in investigations and the unifying power of security. Diane Ritchey, past Editor-in-Chief, says goodbye and thank you to our readers.

View More Create Account

900,000 Files Exposed by Plastic Surgery Technology Provider NextMotion

Related Articles

Report Abusive Comment