900,000 Files Exposed by Plastic Surgery Technology Provider NextMotion

February 20, 2020

Led by Noam Rotem and Ran Locar, vpnMentor’s research team recently discovered a breached database belonging to plastic surgery technology company NextMotion.

Based in France, NextMotion provides clinics working in dermatology, cosmetic, and plastic surgery with digital photography and video devices for their patients. The company was established in 2015 by a team of plastic surgeons and has grown rapidly: It achieved a global presence in 2019, with 170 clinics worldwide in 35 countries.

The compromised database contained 100,000s of profile images of patients, uploaded via NextMotion’s proprietary software. These were highly sensitive, including images of patients’ faces and specific areas of their bodies being treated, says the vpnMentor report.

NextMotion was using an Amazon Web Services (AWS) S3 bucket database to store patient image files and other data but left it completely unsecured, say the researchers. The team had access to almost 900,000 individual files, which included highly sensitive images, video files, and paperwork relating to plastic surgery, dermatological treatments, and consultations performed by clinics using NextMotion’s technology.

The private personal user data the researchers viewed included:

Invoices for treatments
Outlines for proposed treatments
Video files, including 360-degree body and face scans
Patient profile photos, both facial and body

The origins of the photos and files within the database were not clear at the time of writing, as there’s little information attached to them. This leak possibly affected NextMotion clients (and their patients) around the world, note the researchers. The exposed paperwork and invoices also contained Personally Identifiable Information (PII) data of patients, which can be used to target people in a wide range of scams, fraud, and online attacks. NextMotion’s database posed a real risk to the people exposed, with wide-ranging privacy and security implications for all those involved, warn the researchers.

For more information, visit vpnMentor's report.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Organizations rely on application innovation, particularly API-driven applications, to fuel their business transformation and growth. Attackers know this and are constantly looking for ways to find the unfindable and break the unbreakable. They’ve got tools, motivation, and time on their side.

Poll

Comparison Metrics

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

900,000 Files Exposed by Plastic Surgery Technology Provider NextMotion

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

900,000 Files Exposed by Plastic Surgery Technology Provider NextMotion

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.