MindBody’s newly acquired fitness performance tracking software company, FitMetrix, recently faced a security breach. The result led to the exposure of millions of user records. The culprit appears to be the negligent oversight that left several of its servers without password protection.
FitMetrix offers fitness tracking software that provides heart rate monitoring and other fitness data management for gym-goers, studios, and corporate wellness programs all around the world. The company was acquired by Mindbody in February of this year for $15.3 million.
While the exact number of MindBody FitMetrix records affected isn’t yet certain, none were properly secured by a password, giving easy access to hackers.
On October 5th, Bob Diachenko — Director of Cyber Risk Research at Hacken — uncovered millions of sets of FitMetrix user data that was left unprotected. While the exact number of records affected isn’t yet certain, none were properly secured by a password, giving easy access to hackers.
Among 113.5 million customer records in FitMetrix’s database, each record consists of a name, gender, contact information, photos, workout locations, emergency contacts, and more. According to TechCrunch, personal health information such as height, weight, shoe sizes, and more was also exposed.
Jason Loomis, Chief Information Security Officer of MindBody, tried to ease the situation by stating that the accounts “did not include any login credentials, passwords, credit card information or personal health information.” Diachenko questioned MindBody’s claim, citing that health information in the records were clearly visible. When asked to clarify, MindBody provided no further comment.
It is still unclear how many people accessed the database, but Diachenko is certain he wasn’t the first who found it exposed and vulnerable. A ransom note was found in the database, it read:
“ALL YOUR [INFORMATION AND DATA] HAVE BEEN BACKED UP AT OUR SERVERS, TO RESTORE SEND 0.1 BTC TO THIS BITCOIN ADDRESS 14ARsVT9vbK4uJzi78cSWh1NKyiA2fFJf3 THEN SEND AN EMAIL WITH YOUR SERVER IP, DO NOT WORRY, WE CAN NEGOCIATE IF CAN NOT PAY”
Fortunately, the hacker did not successfully delete the data from the FitMetrix servers, and thus the threat proved fruitless. Diachenko attempted several times to contact MindBody about the security breach, but only when TechCrunch reached out, did MindBody jump to action to deal with the situation.
“Data security is of course top priority in our industry, and any invasion of that is a reminder to never stop being cautious,” says Len Fridman of WellnessLiving.
“We are very sad to hear about MindBody’s security breach, it’s a very unfortunate turn of events,” said Len Fridman, Co-Founder and CEO of WellnessLiving. “Data security is of course top priority in our industry, and any invasion of that is a reminder to never stop being cautious. We are trusted by our customers to keep their information safe, and we must live up to that promise. I’m proud to say all WellnessLiving servers are firmly protected, with secure data backup and encryption.”
In the aftermath, MindBody promised to “comply with all applicable legal obligations” by reporting the data exposure to U.S. and European authorities. No word yet on whether they will take action to inform their customers. MindBody may also face consequences from the General Data Protection Regulation, a section in European law, which may fine the company up to 4% of their global revenue for negligent data exposure.