A major Swedish privacy leak revealed this week is even worse than at first thought, with several other companies and over 100 additional servers exposed, according to new findings.
Security vendor Outpost24 investigated service provider Applion, sister company to Voice Integrate Nordic AB, which hosts data for the affected firms on its web servers.
In the original case, the NAS storage unit at nas.applion was found to have exposed 2.7 million patient calls to a medical hotline stored on behalf of Swedish healthcare contractor MediCall.
However, Outpost24 posted a screenshot showing that this same exposed web server also hosted data from other firms including Swedish telephony firm iTell and patient transportation service provider Prebus.
The server itself, Apache 2.4.7, is also several years old and riddled with vulnerabilities.
In total, Applion had around 120 servers exposed to the public internet with no password protection, according to Outpost24.
Martin Jartelius, CSO of Outpost24, argued that the firm appears to have paid scant regard to best practice security.
“Looking at the breach, it is not only due to [lax] security, but a complete lack of any form of protection. The same company also exposed other outdated and very weakly protected services to internet, some so outdated a modern system would not even be able to connect to them,” he said.
“When looking at the company’s [Apache] server, you can see the system has been exposed for a long period of time. The device is a NAS device, and rather outdated on software. Other examples include unencrypted administration of an exposed router, exposed log management solutions and much more."
Reports emerged this week that around 170,000 hours of calls to Sweden’s 1177 Healthcare Guide (Vårdguiden) service dating back to 2013 had been exposed by MediCall. Some of these calls included saved phone numbers and mentioned social security numbers.
The initial web server issue has apparently now been remedied, but it’s unclear whether the additional 120 exposed servers Outpost24 discovered have been protected.