All companies affected are using service provider Applion to host their confidential information, however Applion is not comprehensively securing that data. Using no firewall protection, encryption or login credentials, Applion is ultimately leaving its customer data completely exposed to the internet and accessible to anyone.
Investigations from Outpost24 reveal that other companies affected include Prebus and iTell, a Swedish telephony service company with a turnover of approximately 4 million €.
The webserver which has been covered in media is located at nas.applion.
The screenshot of the server collected February 16th 2019 showed a list of companies being exposed openly on the internet by Appion, a service provider used by the identified companies.
We have already seen initial disclosure from Computer Sweden on the Medicall phonecalls leak. During the 19th of February, another company Prebus, a patient transportation services, confirmed that they have also been affected.
Other companies on the list are iTell, a Swedish telephony service company. They are currently investigating how they are affected by the incident and its extent.
The company behind snow/ is yet to be identified.
Applion, at the time of the incident had about 120 servers exposed to the internet, one of those containing the confidential information which could be putting many companies and their customers at serious risk. Outpost24 is continuing to carry out investigations into other companies affected by Applion’s unsecured servers.
Commenting on the incident, Martin Jartelius, CSO of Outpost24, said: “This is likely the worst privacy breach in Sweden in modern time. Looking at the breach, it is not only due to lapse security, but a complete lack of any form of protection. The same company also exposed other outdated and very weakly protected services to internet, some so outdated a modern system would not even be able to connect to them.
This is the exact kind of incident that demonstrates why GDPR matters and why privacy needs to be taken seriously. Any organisation which has the right to record our most private conversations should have both a legal and ethical responsibility to keep this data safe – and they failed.
When looking at the company’s server, you can see the system has been exposed for a long period of time. The device is a NAS device, and rather outdated on software. Other examples include unencrypted administration of an exposed router, exposed log management solutions and much more."
Contact our security team and get more information about Applion Unsecured Servers
Outpost24 is a leading cyber assessment company focused on enabling its customers to achieve maximum value from their evolving technology investments. By leveraging our full stack security insights to reduce attack surface for any architecture, Outpost24 customers continuously improve their security posture with the least effort.
Over 2,000 customers in more than 40 countries around the world trust Outpost24 to assess their devices, networks, applications, cloud and container environments and report compliance status for government, industry sector, or internal regulations. Founded in 2001, Outpost24 serves leading organizations across a wide range of segments including financial and insurance, government, healthcare, retail, telecommunications, technology, and manufacturing.