The 1177 leak could have easily been avoided

Image of Carolina Martell
Carolina Martell

March 8, 2019

Recently Sweden experienced its most extensive data leak in history. February 18th the Swedish newspaper Computer Sweden announced that the Swedish Healthcare Guide service called “1177” was found to have a server exposed on the internet. This server listed an estimated 2.7 million files with recordings of phone calls between 2013 and 2018. 1177, which is the actual phone number, works as a hotline for people seeking medical advice. It’s a public service that is free for all Swedish citizens and is used on a large scale.

According to Stefan Thelberg, security expert and CEO at Holm Security, the 1177 leak could have easily been avoided if basic security measures had been in place – not least solutions that have been on the market for over 20 years and could be implemented in 10 minutes. He believes that the county council that ordered the service from a company called Medicall, should have ensured that these basic security functions were in place.

Since the introduction of the new EU directive NIS (Network and Information Security) in 2018, organizations carrying critical services have a legal requirement to work risk-based and systematically with their IT security. A natural part of this work is to continuously ensure that no systems have vulnerabilities – regardless if it’s outsourced.

“This seems to be a classic case where the client, through subcontractors, lost control of their IT security. It would have taken 10 minutes to set up a standard vulnerability assessment with an alarm that would have been triggered as soon as the file archive was exposed in the first place. The lights should have turned red many years ago preventing this from happening. We are working on finding vulnerabilities for hundreds of governmental organizations and unfortunately, we are not surprised to hear about this leak. This is simply the tip of an iceberg and we can expect there to be many more incidents in the future. Organizations must realize that the responsibility cannot be outsourced and that IT security needs to be a higher priority.”, says Stefan Thelberg

According to the Swedish newspaper Dagens Nyheter, one of the subcontractors, Voice Integrate Nordic AB, announced that the leak occurred when a network cable accidentally was connected to the server where the 1177’s recordings were stored. Thereby, it got a direct connection to the internet and was accessible for anyone. However, Stefan is not convinced about this explanation.

"A network cable is incorrectly connected sounds unreasonable and it’s most likely the explanation that sounds the least bad. It’s not likely that someone spontaneously connects a network cable without it being prompted by an error."

The incident was reported as a GDPR incident to the Swedish Data Protection Authority (“Datainspektionen”) and is likely to result in fines for the county.

Holm Security VMP picture cta