2.7 million medical calls breached in Sweden

hjorthjort.xyz/2019/02/20/2.7_

The calls were stored on a NAS connected to the internet with no authentication or encryption, with people's phone numbers in the file names of audio files

@Gargron wtf?! It's kind of incredible this intrusion didn't happen immediately after the data was put online.

It's also not quite correct for them to call this a breach when they put the files out there for anyone to see and take with zero controls what so ever. 🙄

@michelamarie We don't know who downloaded what when because they didn't have any network logging until January last year.

@clacke @michelamarie Every detail about this is absolutely amazing.

@tsturm It's an onion of Peter Principle and Dunning-Kruger Effect layers, from the little 3-person company that managed to snag the storage contract up via outsourcing of outsourcing up to the government-side purchasing staff. Nobody has the insight to check the level below.

@clacke I wonder how many more of these kinds of massive data leaks exist out there on open ports, just waiting for somebody to stumble over them.

@tsturm @clacke

I always try to imagine the guy responsible for this storage, who reads about all the hacks and leaks everywhere at Spotify, Google+, Equifax, and then goes back to work on his unencrypted public NAS with medical calls recordings thinking "Yeah, yeah, just another day at work". I'm trying to imagine it, but I just never quite get it.

@chebra "We'll block SYN packages on the incoming port. There, done."

... is literally what they did in terms of mitigation.

@chebra @clacke On every level, nobody ever went like "Hey, all these phone calls, where are we storing them?"

Either none of these people is at all technical, which means it's a miracle any of that stuff works, or they are technical and criminally incompetent.

@tsturm A friend realized that he has worked with/for two of them. He says criminally nontechnical.
Sign in to participate in the conversation
mastodon.cloud

[Notice Regarding the Transfer of the mstdn.jp / mastodon.cloud Services] We have received several inquiries showing interest in a transfer following the announcement of the end of the mstdn.jp and mastodon.cloud services. As a result of subsequently evaluating the situation and making preparations, we have decided that the corresponding services will be transferred to a company in the United States on June 30. We will make an announcement regarding the name of the company that the services will be transferred to once preparations have been made. Thank you.