The 170,000 hours of incredibly sensitive calls were stored on an open web server without any encryption or authentication, leaving personal information completely exposed for anyone with a web browser.
— @mikko (@mikko) February 18, 2019
Computer Sweden listened to some of the recordings after having made efforts to limit exposure, i.e. waiting for the site to be secured. The calls included sensitive information about patients’ diseases and ailments, medication, and medical history. Some examples had people describing their children’s symptoms and giving their social security numbers.
Some of the files include the phone numbers the calls were made from. Around 57,000 numbers appear in the database and many of those are the callers’ personal numbers, making it easy to match information with a particular person.
It’s still unclear how long the calls were available for, who’s to blame for the breach, and whether any bad actors have already accessed the information.
However, it seems the leaked calls were all made to 1177 Vårdguiden’s subcontractor Medicall — a Thailand-based company owned by Swedes. When asked about the breach, Medicall CEO Davide Nyblom denied it happened despite the overwhelming contradictory evidence.
The scale and incompetence of the data breach is dumbfounding and it’s more than likely an investigation will be launched into the matter — especially considering GDPR‘s clear stance on how personally identifiable information should be handled.