Fitness company Echelon has been found to have had a leaky API that let virtually anyone access riders’ account information, according to TechCrunch.
Security researcher Jan Masters discovered that Echelon’s API allowed him to access the account data. This included user name, city, age, gender, phone number, weight, birthday and workout statistics and usage history.
Echelon manufacturers exercise bikes that are intended to be fairly affordable, positioning the product on the market as a cost-effective alternative to brands like Peloton or NordicTrack. Data is collected via the user’s tablet or smartphone in place of the built-in touchscreen that comes as standard on the competitor bikes.
In response to Echelon’s leaky API that exposed sensitive user data, I wanted to share the below commentary from Brook Lovatt, CPO of Cloudentity, sets out the extent of the problem to Digital Journal.
Lovatt says that the issue was serious, noting: “The personally identifiable information (PII) that was exposed, such as members’ locations, names, emails, age, weight and phone numbers, is valuable information that malicious actors can leverage for highly-targeted phishing attacks or identity theft”
Lovatt says that to guard against future cyber-disturbances and lower the threat, then: “To mitigate the risk of data leakage through a weak API, companies must enforce a Zero Trust approach, confirming every user is verified each time before accessing any private information. This also requires context-based authorization (who, what, where, when, etc.) and identity governance built into APIs.”
Delays can prove very costly, says Lovatt: “Although in this case the API vulnerability was eventually secured, the company did not immediately resolve the issue when it was first disclosed, so user data could potentially already be on the dark web.”
Furthermore, this issue acts as a cogent example of the implications of weak security practices. According to Lovatt: “There can be detrimental consequences for businesses that accidentally expose sensitive consumer data, such as steep fines for failure to comply with data regulations and loss of customer trust.”
To paraphrase Lenin: ‘what is to be done?’ According Lovatt, this should involve: “To prevent this, authorization governance controls should be implemented for continuous, contextual security, detecting abnormal behavior and making sure every user is trustworthy before being able to access sensitive data.”
