Databases leak exposed 900K plastic surgery records with nude photos

Originally published at:

Leaked images, many of them graphic nude photos, were from imaging firm NextMotion in France


Editors, please. Everyone knows that hackers wear hoodies and dark glasses while doxing.

We reserve our formalwear black balaclavas strictly for when we’re stealing credit cards.


Looking at this further, I was completely unsurprised to confirm to myself that:

NextMotion was using an Amazon Web Services (AWS) S3 bucket database to store patient image files and other data but left it completely unsecured.

This recurring idiocy has me suspecting that every AWS training course erroneously specifies that admins have to go to the extra trouble of turning off and then leaving off the default security on their buckets.


Until I saw it was a French doc, I was picturing HIPPA violations galore. No clue what the regs in France are, but I have to think this will not end will for the practice.


I clicked through to this article thinking “How odd that a plastic surgery firm would name itself after a weirdly capitalized racial slur.”

1 Like

Elard apologized for the “fortunately minor incident.”

Yeah… in the US, this ‘minor’ incident would be not-so-minor, with a exceptionally mahoosive fine attached to it. (Still might be, if any of the patients whose data was, uh, exposed are from the US.

1 Like

For future reference: HIPAA (Health Insurance Portability and Accountability Act)

I don’t think it is any different in the EU. It is a minor incident in the ‘if we minimise this incident then maybe we will get fewer people take us to court over it’ sense.


As a security engineer who specializes in locking down AWS infrastructure, the problem is IAM (AWS’ permission system) is complicated, awkward and was bolted onto S3 after the fact so it has extra opportunities for for getting it wrong. S3 definitely fails secure, but this usually means it blocks access you are trying to authorize. When a junior IT technician is told to just make it work, it’s easier to figure out the “open access globally” solution than the correct “open access minimally” solution. That’s why this keeps happening.


Thanks. I truly couldn’t figure out why these AWS breach disasters keep happening despite the defaults and despite the major news stories.

The times I’ve set up an instance (not my main job, but I do it now and then), the permissions seemed straightforward to me. But I’ve been in tech for decades and these days I’m the one setting the timetables for roll-outs so I can take my time being diligent.


TFA says that patient data from “clinics around the world” were leaked. So not only do they have GDPR violations to answer for, but a heap of HIPPA violations to go with them.

The out of luck patients who live outside of the USA or EU have little recourse. The category of unprotected schmucks now includes the citizens of Great Adequate Britain.


This topic was automatically closed after 5 days. New replies are no longer allowed.