Woman in the city with smartwatch and earphones showing fitness tracking data

Mass Leak of Fitness Tracking Data Hits Fitbit, Apple, Microsoft, Google; 60 Million Records Exposed by Improperly Configured Third-Party Database

A third-party platform that has the ability to pull fitness tracking data from nearly all of the major wearable device providers has been breached, leaving about 61 million records exposed.

While the amount of personal information in these records is limited, the database contained some sensitive items such as first names paired with display names and locations, along with dates of birth and GPS logs in addition to general fitness data.

The unsecured database was discovered by security researchers in late June and was secured within hours of notification, but it is unclear for how long the breach window was open.

Exposed fitness tracking data found on third-party platform used by employers

None of the individual companies named was directly breached, but their records were compromised by a misconfigured database belonging to a third-party vendor called GetHealth that is often used by employers to run incentive programs for employee fitness. The platform allows for fitness data from many types of wearables to be integrated for this purpose, and will pull records when the end user signs up and gives consent. Of course, this means that records from dozens of companies with fitness tracking devices have been exposed. Among the biggest names are Apple, Fitbit, Microsoft Band, Google Fit, Strava and Misfit Wearables. A sampling of 20,000 records indicates that most of the fitness tracking data came from Fitbit and Apple devices.

Discovered by cybersecurity researcher Jeremiah Fowler, the fitness tracking data repository was online without any password protection and freely accessible by anyone that might find it. The stored data showed records that came from locations all over the world.

As with many of these unsecured databases discovered by security researchers, it is unclear how long the problem existed for or how many other parties might have come across it before a researcher got to it. GetHealth’s reported response time after being notified was commendable, but the company has yet to release any information about whether or not there was illicit exposure to potential threat actors prior to the discovery.

Exposed fitness tracking data has lower risks

16.71 GB of data was left exposed in total. Though fitness tracking data is not the type of comprehensive record that is most popular, health information is a hot commodity on the dark web right now. Medical records can go for hundreds of dollars each now, while verified working credit card numbers have sunk to an average of about $5 each. The data not only provides thieves with the elements they need for identity theft and a variety of confidence and insurance schemes, there is also potential for blackmail over sensitive health conditions.

Of course, fitness tracking data does not have this same level of risk. If criminal elements were to access it, it would most likely either be sold to unethical marketing agencies or added to “combination files” of other leaked information that can be tied to an individual identity. This breach does not contain “hard” identifying identification, like Social Security numbers or even email addresses, but the combination of full name, date of birth and location could lead it to be paired with existing breached information in some cases.

Tim Erlin, VP of strategy at Tripwire, points out that though this personal information is more limited in scope it can still cause serious problems for an organization that loses it: “Misconfigured systems aren’t just at risk from attackers, but they often pose a compliance risk as well. Compliance audits can result in fines and other consequences that have a material impact on your business. It may be complex, but understanding which regulations apply to which parts of your environment is a foundational requirement for doing business in today’s data-driven, connected world.”

Little potential for regulatory penalties

The relatively limited amount of personal data that fitness tracking devices collect has allowed them to fly below the radar of Health Insurance Portability and Accountability Act (HIPAA) regulations, which currently only apply to records kept at medical facilities. The Federal Food, Drug, and Cosmetic Act (FD&C Act), which regulates medical devices, also does not apply given that fitness wearables are not used for treatment of conditions and are not considered to be of risk to the user. The closest regulatory match may be the Federal Trade Commission’s FTC Act, which prohibits unfair and deceptive advertising practices and could be invoked as a privacy violation. However, it does not likely apply to this particular case as most users likely opted in to an employer program that included permission to share data with GetHealth.

The state of regulation in other countries is somewhat different. In the United Kingdom, fitness trackers have been recognized as “medical devices” by the Medicines & Healthcare products Regulatory Agency (MHRA) (the country’s rough equivalent of the US FDA) if they are used to investigate or treat a condition. That would have planted them firmly within the scope of General Data Protection Regulations (GDPR) prior to 2021, but the UK’s data privacy laws are now in flux post-Brexit.

For its part, the FDA said in 2016 that it had no intention of regulating fitness wearables or wellness mobile apps unless used to treat specific conditions or disorders. The situation could change in the future if the devices continue to add capabilities, however.