Smorgasbord of security problems starts with lack of encryption
UPDATED Calls recorded by a Swedish national health service hotline were stored on an unencrypted system that was publicly accessible to anyone with an internet connection, it has emerged.
An estimated 2.7 million phone calls were discovered to have been left open by an unprotected NAS (network attached storage) system, and were accessible without a password or any authentication, according to local reports.
Wav on MP3 files were reportedly stored but are no longer available.
An estimated 170,000 hours of calls dating back to 2013 were exposed, tech title ComputerSweden reports.
Journalists who listened to some of the calls in order to verify the breach reported that 57,000 Swedish phone numbers appear in a database associated with the audio files.
The recorded information appears to relate to calls made out of normal office hours to the 1177 care line.
This service is run by sub-contractor MediCall (Sweden), which uses Biz 2.0, a cloud-based call centre system supplied by Voice Integrate Nordic AB.
Martin Jartelius, CSO at Outpost24, said: “This is likely the worst privacy breach in Sweden in modern times.
“The device is a NAS device, and rather outdated on software. Other examples include unencrypted administration of an exposed router, exposed log management solutions, and much else.”
The Daily Swig put these various criticisms to both MediCall (Sweden) and Voice Integrate Nordic AB but we're yet to hear back from either party. This story will be updated as and when more information comes to hand.
The Swedish Data Protection Authority (Datainspektionen) confirmed to The Daily Swig that it was aware of the incident and intended to investigate. "We have not formally initiated the supervision yet, though,” a spokesman added.
This article was updated to include a comment from Datainspektionen.