The fitness community has become a prime target for hackers, and with the running season now in full flow, hundreds of thousands of UK citizens could be at risk.
The rise of cyber threats facing the fitness community corresponds directly to the rise of the digital health & fitness industry. While the benefits of going digital are clear, athletes must also understand the dangers. Learn what to look out for, and how to defend your data.
Races, events and breaches to know about
MyFitnessPal – On Thursday 29th March 2018, Under Armour revealed that the data of 150m users was accessed during a data breach – link. The company claims that the data was encrypted, but has urged customers to change passwords immediately
Active.com – Also in March 2018, Active.com, which has millions of monthly users, told customers of a data breach between December 2016 – September 2017 which may have exposed users’ personal data, including payment information. It is yet to release an official statement but there is evidence that numerous users have experienced fraudulent activity on their payment cards after registering for an event – link. Races/events currently listed on the Active.com website include:
-The Brighton Marathon
-Football camps hosted by Liverpool, Man City, Chelsea and Brighton
-The English Half Marathon
Many other 5ks, 10ks, fun runs, half marathons and triathlons, as well as cycling, yoga, basketball, football and family events
Fitbit – Researchers at the University of Edinburgh revealed vulnerabilities in popular Fitbit products in September 2017, which would allow hackers to steal users’ personal data and bypass Fitbit’s encryption methods – link
Strava – In January 2018, Strava’s global heatmap, powered by its user tracking functionality, was deemed to be in breach of US security, by revealing the location of secret US military facilities – link
“These breaches are a clear warning to all athletes, not just Active.com and Under Armour customers; emphasising the need to stay extra vigilant when registering for new events. If you’ve signed up for any fitness events or races in the last 18 months, you should review your bank statements for fraudulent activity”
Andy Kays, CTO
The rise of fitness apps/devices – According to Tata Consultancy Services (TCS), the Official Technology Partner of the Virgin Money London Marathon – link:
- 82% of UK recreational runners use some kind of wearable device
- 74% of UK runners claim to have exercised more with digital support
- 18% of UK runners have posted fitness data on social media
The average recreational athlete in the UK has spent £83 on fitness technology in total
Top tips to avoid running into trouble
To stay safe in the running season, check out our expert tips below:
1. Be careful when entering new events or making online payments of any kind. Look for secure websites and payment services that display a padlock in a web browser when entering sensitive information
2. Monitor for fraudulent activity on your bank account, particularly in the days and weeks following event registration
3. If you’ve participated in a fitness event/race in the last 18 months, check to see if payment details were processed by Active.com. If so, check back over old bank statements for possible fraudulent transactions
4. Change your passwords for any service that has been breached in the past, including MyFitnessPal
5. Use secure and unique passwords for every digital account – use a password management app like LastPass to help with this
6. Review and change your privacy settings if you use a fitness app or wearable device that has the functionality to track and share your location in real time (the default settings are not necessarily secure)
7. Be on the lookout for suspicious emails and correspondents relating to fitness, since hackers frequently use the hobbies and interests of their targets as part of phishing campaigns
8. Don’t blindly trust links shared by email or via social media. If in doubt, enter the company/race/event into a search engine first to ensure it’s a legitimate website
9. Under new General Data Protection Regulation (GDPR) coming into force this month, individuals will have the right to request to see a copy of all the data held on them by an organisation and have it erased.
Redscan is an award-winning provider of managed security services, specialising in threat detection and integrated incident response.
Possessing a deep knowledge of offensive security, Redscan’s experts are among the most qualified in the industry, working as an extension of clients’ in-house resources to expose and address vulnerabilities plus swiftly identify and shut down breaches. Services offered include: CREST Pen Testing, Red Teaming and Managed Detection and Response.