Data Breach Laws Could Get Tested as Fitness App Leaks Personally Identifiable Information

It is a story we’ve heard many times in the first 6 months of 2018: An independent researcher finds a critical vulnerability in the code of a popular app or website that leaks personally identifiable information. They reach out to a tech journalist or colleague to investigate. Once confirmed, the researcher or journalist reaches out to the company regarding the exposure. The initial response from the affected company comes as a tepid promise to examine the issue, that is, if they respond at all.

Running Female With Mobile Phone Connected To A Smart Watch

AndreyPopov / iStock / Getty Images Plus / Getty Images

An exclusive report published by ZDNet on May 31, 2018, highlights the continuation of this pattern. Security researcher Oliver Hough reached out to ZDNet’s Zack Whittaker regarding a critical flaw in a fitness app. The app, PumpUp, was created as a fitness community where subscribers could “discover new workouts and record their results, and get advice from fitness coaches and other users.”

The problem stemmed from a PumpUp back-end server that was hosted on an unsecured Amazon Web Services cloud. According to Whittaker, the server—which the company has now secured—operated as a broker, sending requests and directing private messages between subscribers. Exacerbating the problem was the server’s reliance on the Message Queuing Telemetry Transport (MQTT) protocol. Developers will often use MQTT in Internet of Things (IoT) devices or in apps because of its small code footprint, allowing them to cut down on cost overheads. However, as Whittaker points out, “the protocol is transitory, so anyone can see the real-time stream of data,” especially if hosted on an unsecured cloud server.

The vulnerability exposed the personal information of some 6 million subscribers. Among the user information that could be culled from the server was the breach-standard e-mail address, date of birth, gender, and user location. More seriously, the app also gave threat actors access to any health information provided by the user regarding their height and weight, how much alcohol or caffeine they consume, whether they are a smoker, and any information regarding medications they take, injuries, or general health concerns they might have. A hacker could also access links to a user’s workout goals, profile photos, and social activity, such as who the user has communicated with or which other users they have blocked.

What made this potentially more shocking is the amount of external data this breach included. In some instances, ZDNet discovered that the vulnerability exposed a user’s unencrypted credit card information (card numbers, expiration dates, and card verification values) if they had entered it to make a purchase. PumpUp also leaked device data, such as the user’s IP address and session tokens, which an attacker could then use to access the app without needing a user’s password. If the user logged into the app using Facebook, those session tokens were visible as well, potentially compromising their Facebook account.

What Happens Next

ZDNet tried to contact the PumpUp CEO and his staff for more than a week, but a response was never received from anyone at the company. ZDNet also did not get a response from the app’s financial backer, General Catalyst. According to Whittaker, it appears the server “was quietly secured earlier this week.”

The fallout from this breach could prove quite interesting. While the company is headquartered in Canada—where data breach laws take effect later this year—PumpUp also maintains an office in San Francisco. California has had data breach laws on the books since 2017, which requires timely disclosure of the breach to state regulators.

Additionally, PumpUp apparently had a number of users located within the European Union, where the General Data Protection Regulation (GDPR) took effect on May 25, 2018.

The scope of personally identifiable information leaked by this vulnerability from the unsecured server could make this the example many small- to mid-sized companies were waiting for before making decisions on how to respond to the GDPR and other laws.

It’s good to remember that your business does not need to have a physical presence in the European Union to be affected by the GDPR rules, and the fines for noncompliance are potentially large enough to bankrupt unprepared companies.

If you are at all concerned about the potential liability to your business, now is the time to schedule a system audit, and seriously consider any recommendations forwarded by the auditor.