Lessons to be learned from the Polar incident

Last Sunday, journalists from The Correspondent revealed that it was trivially easy to find the names and addresses of military and intelligence service personnel that use Polar, a popular runners wearable and fitness app. All runs (even private ones) made by owners of a Polar fitness device are stored on a central server, and can be viewed on a map. Even though the user interface restricted access to only public runs, bypassing the user interface and entering URLs manually allowed them to extract all runs made by anyone since 2014. Polar switched off access to the map recently to prevent further abuse of this. What can we learn from this incident?