French healthcare software company, Apodis Pharma, was notified by researchers at CyberNews about a possible data leak. CyberNews researchers discovered a misconfigured and unencrypted ElasticSearch database on October 22, 2020, which contained 1.7TB of Apodis Pharma’s confidential business data including information of their partners, business, and employee accounts, and some unsuspected patients’ information.
As per standard reporting procedure, the researchers promptly reported their findings to the company but did not get any response. Taking into consideration the gravity of the leak, the researchers then reported their findings to CERT France but even their efforts of reaching out failed. Eventually, CyberNews researchers established direct communication with Apodis Pharma’s CTO, Mathieu Bolard, who got the issue fixed instantly.
The researchers said they are not sure who accessed the database, “however, the database has already been indexed on at least one popular IoT search engine, which means that there is almost no doubt that the data has been accessed and possibly downloaded by outside parties for potentially malicious purposes.”
According to CyberNews, the Apodis Pharma database possibly leaked the following set of information:
- Archived confidential pharmaceutical shipment data, shipment storage status, the precise time and locations of the shipments, and the quantity of pharmaceuticals in the shipments.
- An archive of Apodis Pharma’s 25,000+ partner and client organizations, such as pharmaceutical laboratories and pharmacies.
- Two archives of products stored in Apodis Pharma client warehouses, containing 17,324,382 entries and 32,960,114 entries each. It included product data like product quantities and IDs, as well as warehouse data.
- Confidential product sales data containing 17,556,928 quarterly entries that include information such as sales dates, locations, prices, and quantities sold between pharmaceutical laboratories and pharmacies.
- User data containing 4,436 entries, including full names of Apodis Pharma clients, partners, and employees.
- Consumer and client data visualizations and analytics, including consumer gender statistics, and presumably, confidential client sales and warehouse stocks charts.
Experts suggest that at the very least, an ElasticSearch or any other database for that matter, hosted on any server with an IP address should have a strong and unique username and password. This is a basic yet often neglected technique of defense.