Wearables maker Ultrahuman has informed customers of a data breach after discovering unauthorized access to its systems. The company says no customer payment info was exposed during the cyberattack.
-
Ultrahuman detected unauthorized access to an internal analytics tool on May 27th affecting users worldwide.
-
Exposed data included contact details, account information, order history, and transaction records but no payment card details.
-
Healthcare records are coveted by hackers, making healthtech companies prime targets for cybercriminals.
-
The company strengthened access controls, hardened security, and deployed anomaly detection tools following the breach incident.
Attackers breached Ultrahuman systems on May 27th, the company’s CEO, Mohit Kumar, explained to customers via email, seen by Cybernews. According to Kumar’s breach notice, “no passwords, card details, or payment data were involved.”
The India-based company is best known for its healthtech, namely a collection of smart rings. The company reportedly has up to 700,000 monthly users globally. However, this number may be closer to a million by now.
While the data breach notice does not mention how many individuals may have been exposed during the Ultrahuman data breach, local business media quotes the company as mentioning that 0.1% of its users may have been affected.
That would translate to up to 1,000 exposed users.
Check if your data has been leaked
How did the Ultrahuman data breach happen?
Meanwhile, according to the breach notice, attackers accessed an “internal system used for internal analytics.”
“The access was constrained in scope by the system's design, which did not permit modification or deletion of data. We identified the incident promptly, took the affected system offline, and revoked all access,” reads the notice.
Different users likely had different details exposed. The email Cybernews saw claims that attackers may have accessed:
- Contact details
- Account details
- Order history
- Transaction history
Since “contact details” likely include user email addresses, malicious actors can target users with highly personalized scams. For example, attackers can craft scams that offer discounts on items users previously purchased, which may eventually lead to the download of malware.
Attackers could also sell stolen details to supplement and wellness marketers and other malicious actors interested in illicit wellness-related activities.
However, Ultrahuman noted that “no passwords, payment or credit card information, or wellness data were accessible or affected by this incident.” At the same time, the Ultrahuman devices continue to operate and record wellness data.
However, a later breach notice published on the company’s website indicated that a small number of users had their fitness-related data accessed.
Healthtech companies wear a target on their backs
To prevent similar mishaps in the future, Ultrahuman said it strengthened its access control policies, hardened endpoint security, increased periodic access audits, and deployed export-volume anomaly-detection tools.
“We have also conducted active monitoring of public and other internet channels for any evidence of the publication or further misuse of the accessed information. To date, we have not identified any such publication or misuse,” it explained.
The company also said it notified relevant authorities about the attack.
Healthtech companies are a goldmine for threat actors, as they house one of the most valuable types of personal information – medical data.
According to the US Department of Health and Human Services, healthcare records can earn up to $250, several times more than a stolen payment card.
Meanwhile, consumer healthtech providers add another layer of information to the mix, enriching potential target profiles.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked