Action / Reaction
- Fierce Healthcare reported on September 13 that
An unsecured database containing over 61 million records related to fitness trackers and wearables exposed Apple and Fitbit users’ data online.
Researchers with WebsitePlanet and security researcher Jeremiah Fowler discovered a non-password-protected database that contained tens of millions of records belonging to fitness tracking and wearable devices and apps. The unsecured database belonged to GetHealth, which offers a unified solution to access health and wellness data from hundreds of wearables, medical devices and apps, according to a WebsitePlanet report posted Monday.
The cybersecurity team discovered the unsecured database June 30, ZDNet reported. Fowler said he immediately sent a disclosure notice to the company of the security findings. GetHealth responded rapidly, and the system was secured within a matter of hours, ZDNet reported.
“It is unclear how long these records were exposed or who else may have had access to the dataset,” Fowler wrote in the report.
“We are not implying any wrongdoing by GetHealth, their customers or partners. Nor, are we implying that any customer or user data was at risk,” he wrote.
- On Thursday, September 16, Cyberscoop reported
App developers and device operators that collect health data about Americans must alert consumers in the event their personal information is compromised or shared without permission, the Federal Trade Commission ruled Wednesday.
The U.S. consumer protection agency voted 3-2 on a new regulation that is meant to clarify the 2009 Health Notification Rule, which details how companies should tell consumers if their data is improperly shared or breached. The decision Wednesday extends the 2009 rule to cover health apps, fitness trackers and other connected devices that have risen in popularity over the past decade.
From the survey front,
- Health IT Security informs us that “Google and Microsoft amassed the most vulnerabilities compared to other major tech companies in the first half of 2021, researchfrom Atlas VPN revealed. During the first half of 2021, Google accumulated 547 registered vulnerabilities. Microsoft followed close behind at 432.” Ruh roh.
- CRN discusses the ten biggest cybersecurity risks that business face this year.
In ransomware news —
- The Wall Street Journal advised us yesterday that
The Biden administration is preparing an array of actions, including sanctions, to make it harder for hackers to use digital currency to profit from ransomware attacks, according to people familiar with the matter.
The government hopes to choke off access to a form of payment that has supported a booming criminal industry and a rising national security threat.
The Treasury Department plans to impose the sanctions as soon as next week, the people said, and will issue fresh guidance to businesses on the risks associated with facilitating ransomware payments, including fines and other penalties. Later this year, expected new anti-money-laundering and terror-finance rules will seek to limit the use of cryptocurrency as a payment mechanism in ransomware attacks and other illicit activities.
The actions collectively would represent the most significant attempt yet by the Biden administration to undercut the digital finance ecosystem of traders, exchanges and other elements that cybersecurity experts say has allowed debilitating ransomware attacks to flourish in recent years.
- Security Week offers a related report on understanding the cryptocurrency – ransomware connection.
- And no Cybersecurity Saturday post would be complete without a link to Bleeping Computer’s The Week in Ransomware. “This week’s biggest news is that soon after REvil returned from its two-month absence, Bitdefender released a master decryptor that allows victims encrypted by REvil before July 13th to recover their files for free.”