It has been reported that millions of records belonging to users of a fitness technology app were exposed online for almost a month due to a misconfigured database, including a swathe of personal details. Approximately 40GB worth of information belonging to users of Kinomap, a service that creates immersive workout videos for people on rowing and cycling machines as well as treadmills, was discovered by security researchers in March. This enormous amount of data amounted to 42 million records and affected the platform’s entire user base, including people from a number of countries across the UK, Europe and the US. The data was discovered by researchers at vpnMentor as part of a web-mapping project on 16 March, with the public access to the database closed on 12 April.
It’s unfortunate that Kinomap continued to display a poor attitude towards data security and legal regulations in the aftermath of a data breach which left 40GB of data exposed. The fact that the PII of more than 42 million users were breached due to a misconfigured database proves that the current standards of data security are not good enough. It seems like every week there is a new instance of misconfigured storage buckets and Kinomap will most likely face regularity repercussions because of their inadequate security procedures. We should understand by now that it’s not enough to store personal information in unsecure databases. Indeed, we must go several steps further, activating tokenization or encryption on databases with sensitive data to reduce the risk of data exposure incidents or data breaches. Technology professionals must get out of the habit of leaving sensitive data unprotected, and tokenized data means that even if it falls into the wrong hands it is useless and indecipherable, therefore avoiding potential GDPR breaches and subsequent investigations like this one.\”