Health, credit card data left unsecured at Ontario-based fitness app PumpUp

FILE - Runner tying shoe and checking heart rate app on cell phone . Hero Images / Getty Images

Fitness app PumpUp left unsecured a server that contained personal information like credit card numbers, private messages and health data.

The app lets you send photos to the PumpUp social network, to allow other users to cheer you on or suggest workout tips. It also tracks your fitness progress.

The app, which is based out of Toronto, used a back-end server on Amazon’s cloud as a messaging server using a messaging protocol called MQTT.

The information on the server — credit card data, personal messages, Facebook accounts — wasn’t password protected, as technology news website ZDNet first reported. PumpUp told Global News the server has since been secured.

That means it was visible to anyone with the IP address of the server.

Story continues below advertisement

“Considering you can scan all of the IPv4 Internet in a matter of minutes … that’s not sufficient,” freelance programmer Oliver Hough told Global News.

“Basically just lax security.”

Other than Hough, PumpUp officials said they’re not aware of anyone else who had accessed the information.

“Beyond the security researcher who originally came across the vulnerability, we are not aware of any other individuals who were aware of this situation or who had access to any of the data,” CEO Garrett Gottlieb wrote in a statement to Global News.

WATCH: We need to decouple the idea of a privacy problem and a security problem: Constine

Click to play video: 'We need to decouple the idea of a privacy problem and a security problem: Constine'
We need to decouple the idea of a privacy problem and a security problem: Constine

Hough says he found the data when he was scanning MQTT servers. He said that when he found out he had sensitive information, he went to ZDNet for help.

Story continues below advertisement

According to technology news website, ZDNet, the information on the server — credit card data, personal messages, Facebook accounts — wasn’t password protected.

“We can confirm that, as a result of a scheduled server update, a very limited amount of user information was left unsecured.  This included the credit card numbers of less than 10 clients and user messaging related to the topic of personal training,” Gottlieb wrote.

WATCH: Who is responsible for user privacy on social media?

Click to play video: 'Who is responsible for user privacy on social media?'
Who is responsible for user privacy on social media?

It remains unknown whether or not the data was accessed by someone other than the alleged data breaches involving Hough or ZDNet – which could be a major security flaw, privacy expert Ann Cavoukian said.

“Cyber security attacks are mounting on a daily basis,” she explained. “So you’ve got to be so careful with all your personal data especially sensitive data which could consist of financial and health related data.”

Story continues below advertisement

Gottlieb said the users impacted by the leak would be notified and offered a lifetime subscription.

“PumpUp takes the issue of data security very seriously.  We apologize to our users for any inconvenience this may have caused and are in the process of reaching out to those affected to ensure they are aware that the proper precautions are being taken to secure their information,” he wrote.

So what are the laws? Is this type of thing illegal?

Privacy expert Tessa Scassa says that while there is currently privacy legislation that imposes obligations on companies to protect and secure a consumer’s data, the legislation is “essentially toothless.

If there’s a privacy breach, Canadians can report the case to the Office of the Privacy Commissioner (or the privacy commissioner can instigate an investigation on his/her own).

After an investigation, the privacy commissioner can then make recommendations, and the company can choose whether or not to follow them.

Only then could it be taken to a federal court.

So while it can be illegal to allow sensitive data to be leaked, there’s not enough incentive for companies to ensure they have adequate security.

Story continues below advertisement

“I think we need a law that has a lot more teeth to it before companies will start to take it seriously and see bad security and bad privacy as having a substantial financial impact on their business,” Scassa said.

Companies will also soon be required to disclose any time a Canadian consumer’s information is compromised.

As of Nov. 2018, The Digital Privacy Act, will require companies to tell their clients about a potential leak.

The privacy act became law in 2015.

“It’s been three years,” Scassa explained. “It’s taking its sweet time.”

But that means right now companies aren’t required to disclose if there’s been a breach or leak – including this alleged breach by PumpUp.

Can you trust the apps on your phone?

So it all begs the question – which apps can you trust?

Cavoukian says it’s on us to make sure we know who is able to access our own data.

“I caution people to be very careful before they sign up for apps,” she said. “Don’t just automatically assume that your data is somehow going to be safe. In fact: assume the exact opposite.

Story continues below advertisement

READ MORE: Here’s how to shut intrusive apps out of your Facebook account

“There’s certainly there’s no way of assuming that they’re going to provide strong privacy and security measures.”

If you want to test an app – she recommends asking the app creator a few questions.

  1. Who has access to the data in the app?
  2. Are there any third parties with access?
  3. What type of security do you use to store the data?

If the answers aren’t satisfactory, she recommends not using the app.

“Now people are very concerned about their privacy and their loss of control over their data,” Cavoukian said. “And trust is at an all-time low. So you’ve got to then translate that into the when you think of using an app you’ve got to ask these questions before doing it.”

Sponsored content