Fabio ManganielloApr 15

The problem here isn’t much that #BasicFit has been hacked.

Today’s tech stacks are so complex and distributed over multiple systems that all IT products are always one S3 dump away or one token leak away from being hacked.

The problem is that a gym perhaps is not supposed to store all this information about their customers:

  • Full name
  • Date of birth
  • Email
  • Address
  • Phone number
  • Bank account details

If gyms could still operate fine 20 years ago without gathering all these details, then I don’t see why they need them now.

My full name and a customer ID should be more than enough to know who I am, for the purposes that the gym needs. And if payments are externalized to external payment processors, then there should also be no need to store bank details or credit card numbers.

The best way to mitigate the impact of data hacks is to not store the data you don’t need in the first place - even if you think that you can make an extra buck from it by selling it to data brokers.

At the very least, pick on the habit of using one-off email aliases, fake phone numbers and fake dates of birth when you know that that information is very unlikely to ever be needed.

https://www.bleepingcomputer.com/news/security/european-gym-giant-basic-fit-data-breach-affects-1-million-members/

European Gym giant Basic-Fit data breach affects 1 million members

Dutch fitness giant Basic-Fit announced that hackers breached its systems and gained access to information belonging to a million of its customers.

BleepingComputer
Show threadcircus_maximusApr 15

@fabio every PCI compliant system is built like that because handling credit card data is strictly regulated and for not having, it's also regulation all across the tech stack you just use one system that needs to be certified and all other systems just use a token linking to that system.

Ask bad as it is, using a central log in system strictly using data access policies and for example, not giving out information to send email but the permission to the mail provider to deliver an email

1v2

Show threadcircus_maximusApr 15

@fabio 2v2

Shifting away from considering email as secure and using it as central ID would also give a smaller attack vector

Show threadFabio ManganielloApr 15

@circus_maximus the point is that not all systems that have some form of payment need to be fully PCI-compliant payment providers themselves.

It makes sense to collect personal information for KYC purposes if you’re a payment provider, but most of these platforms outsource their payments through the likes of Stripe or Adyen anyway.

It makes sense for those PSPs to collect credit card details or bank accounts, and to cross-verify them with the provided customer details, and run their own WorldCheck, Onfido or Focal checks on them.

But that data should be collected directly on the PSP portal side, or at most transparently transmitted by the merchant upon collection. Never stored on the merchant’s servers.

For the same reason why when I pay with a card at a restaurant the restaurant itself doesn’t collect and store my name, address, phone number and credit card number.

Show threadcircus_maximus

@fabio yes, that's the exact mechanism I described. You don't need to be pci compliant, unless you store credit card data. And you wouldn't need to, since there are payment providers.

So to come back to your example of the fitness company the fitness company could link to your identity provider and if it needs to send you an email it should to look up this capability, check if it's allowed to and then have one time access to your email inbox.

But I think not even google builds like that

Apr 15 at 10:33amWeb