According to Stefan Thelberg, security expert and CEO at Holm Security, the 1177 leak could have easily been avoided if basic security measures had been in place – not least solutions that have been on the market for over 20 years and could be implemented in 10 minutes. He believes that the county council that ordered the service from a company called Medicall, should have ensured that these basic security functions were in place.
Since the introduction of the new EU directive NIS (Network and Information Security) in 2018, organizations carrying critical services have a legal requirement to work risk-based and systematically with their IT security. A natural part of this work is to continuously ensure that no systems have vulnerabilities – regardless if it’s outsourced.
“This seems to be a classic case where the client, through subcontractors, lost control of their IT security. It would have taken 10 minutes to set up a standard vulnerability assessment with an alarm that would have been triggered as soon as the file archive was exposed in the first place. The lights should have turned red many years ago preventing this from happening. We are working on finding vulnerabilities for hundreds of governmental organizations and unfortunately, we are not surprised to hear about this leak. This is simply the tip of an iceberg and we can expect there to be many more incidents in the future. Organizations must realize that the responsibility cannot be outsourced and that IT security needs to be a higher priority.”, says Stefan Thelberg
According to the Swedish newspaper Dagens Nyheter, one of the subcontractors, Voice Integrate Nordic AB, announced that the leak occurred when a network cable accidentally was connected to the server where the 1177’s recordings were stored. Thereby, it got a direct connection to the internet and was accessible for anyone. However, Stefan is not convinced about this explanation.
"A network cable is incorrectly connected sounds unreasonable and it’s most likely the explanation that sounds the least bad. It’s not likely that someone spontaneously connects a network cable without it being prompted by an error."
The incident was reported as a GDPR incident to the Swedish Data Protection Authority (“Datainspektionen”) and is likely to result in fines for the county.