TechCrunch reported that FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody, exposed millions of user records because it left several of its servers without a password.
Pravin Kothari, CEO at CipherCloud:
“The FitMetrix potential exposure of 113.5 million records seems likely to be another unfortunate example of a cyber breach caused by misconfiguration and administrative error. If the data was encrypted end-to-end, at the cloud “edge,” then access to the exposed but encrypted data would have been stopped.
Perhaps the more interesting issue is whether or not the exposed FitMetrix databases included data from European citizens, and, if so, whether or not this data may be subject to regulation by the European Union General Data Protection Regulation (GDPR). The FitMetrix privacy page notes that “The FITMETRIX Services are controlled and operated by us from the United States and are not intended to subject us to the laws or jurisdiction of any state, country or territory other than that of the United States.” In sharp contrast, the GDPR directs that any regulated entity which processes or collects the personal data of European Union residents must comply with the regulations within GDPR. This is intended to protect the rights and privacy of EU citizens no matter where they are on the internet. Is the FitMetrix disclaimer valid? Does this sort of disclaimer work if you have signed up customers from the European Community? What enforcement action, if any, will the E.U. take? Did these E.U. customers waive their rights? Were they properly notified?”