900k records of plastic surgery patients leaked online

NextMotion imaging service left an unprotected S3 bucket exposed

NextMotion, a France-based technology company that provides imaging and other services for 170 plastic surgeries worldwide, made a serious mistake, which resulted in a massive data breach. Approximately 900,000 documents were leaked from the institution when it left a leaky Amazon Web Services (AWS) S3 bucked online. The data consisted of highly sensitive pictures of clients, including nude photos, as well as other personally identifiable information.

A leaky AWS bucket was found by security researchers Noam Rotem and Ran Locar, and findings were published on a website that rates and analyses VPN services.^[1] The discovery of NextMotion data leak was observed thanks to a web-mapping project both researchers are carrying out – they claimed that these types of exposures are not all that rare.

NextMotion was established in 2015 in France and has grown over the past few years, providing digital technology tools for before-and-after plastic surgery patients' imaging. By 2019, the company was known globally, and its services were used in 35 countries worldwide.

According to NextMotion website, the information provided by clients is 100% secure:^[2]

Nextmotion is an ecosystem based on a medical cloud which allows you to sort, store and access your data wherever you are. In that sense, all your data is covered with the highest requested security level as it is hosted in France on servers authorized by the Haute Autorité de Santé (French Health Authority) – in our case, AWS who is certified.

Discovery and investigation

Unprotected databases and leaky buckets have been prevalent, as several cases were documented over the past few years (data management company Attunity,^[3]  sports gadget manufacturer Garmin SA, etc.).^[4] Typically, these incidents happen due to negligence and less-than secure data handling practices. Despite that NextMotion claims 100% data security, the data breach proves something completely different.

Rotem and Locar first spotted the database on January 24, when they saw it online. because the file was named “NextMotion,” the owner of it was quickly discovered, and data inside was thoroughly checked by researchers in order to ensure its accuracy. On February 5, over a week after the firm was contacted about the compromised data, the database was finally secured, and could no longer be accessed online.

Highly sensitive images of patients' faces and bodies exposed

Researchers claimed that the AWS S3 bucket was completely not protected, and anybody could view the data as long as they knew where to look for it. Inside the database, they found 900,000 files, each of which consisted of highly sensitive and personal information:

Our team had access to almost 900,000 individual files. These included highly sensitive images, video files, and paperwork relating to plastic surgery, dermatological treatments, and consultations performed by clinics using NextMotion’s technology.

Some of the pictures attached inside consisted of private body parts and faces, including images taken immediately after the surgery.

Besides the graphic files, Rotem and Locar also found invoices, prescriptions, treatment details, costs of the procedures, as well a timestamp. This highly sensitive data, if exposed to cybercriminals, can negatively impact the affected individuals' lives in many ways. Financial information can be used for fraud, while exposed pictures might be utilized in sextortion attacks, as well as other types of blackmail.^[5] Finally, researchers also noted that ramifications might also be way greater when it comes to NextMotion’s clients – the clinics might be sued by patients for not protecting their private information accordingly.

The incident could have easily be prevented if NextMotion applied basic security procedures, such as securing their servers, using correct server access rules, and not leaving a system that does not require authentication open to the internet.

While the bucket is currently secured, patients might not know whether they were affected by the breach, as, for security and other legal reasons, the list of impacted clinics can not be disclosed.