- ‘Apodis Pharma’ left online an unprotected database containing massive amounts of sensitive data.
- The data was not encrypted, and the chances of the actors having accessed it are very high.
- The event affects the company, its clients, and also a large number of unsuspecting patients.
The French digital supply chain management and software solutions provider ‘Apodis Pharma’ has misconfigured an ElasticSearch database for public access, essentially leaking over 1.7 TB of confidential business-related data. The client portfolio of ‘Apodis Pharma’ includes big pharmaceutical firms, so the particular data leak is considered a grave security event.
The discovery comes from researchers of CyberNews, who found the database online on October 22, 2020. The team informed the owner immediately, but they didn’t hear back from them, so they reached out to CERT France.
Eventually, the data was secured on November 17, 2020, and after CyberNews contacted the CTO of Apodis Pharma directly. Malicious actors must have accessed the publicly available data in the meantime, as it was already indexed in IoT search engines.
Here is what was available in the database:
- An archive of confidential pharmaceutical shipment data, shipment storage status, the precise times and locations of where the shipments have been picked up by sellers or distributors, as well as the quantity of pharmaceuticals in the shipments.
- An archive of 25,000+ partner and client organizations, such as pharmaceutical laboratories and pharmacies, serviced by the Apodis Pharma distribution platform.
- Two archives of products stored in Apodis Pharma client warehouses, containing 17,324,382 entries and 32,960,114 entries each. The archives include product data like product quantities and IDs, as well as warehouse data.
- An archive of confidential product sales data containing 17,556,928 quarterly entries that include information such as sales dates, locations, prices, and quantities sold between Apodis Pharma clients like pharmaceutical laboratories and pharmacies.
- An archive of user data containing 4,436 entries, including full names of people who appear to be Apodis Pharma clients, partners, and employees.
- Consumer and client data visualizations and analytics, including consumer gender statistics, and presumably confidential client sales and warehouse stocks charts.
While the mistake of leaving the database open to access by anyone with a web browser is undeniably an elementary one, the practice of storing such sensitive information in plaintext form is what complements the problem. If the data were at least encrypted, as it should have been, the misconfiguration mistake wouldn’t be as serious as it is.
As a result of this breach, the attackers may now inflict damage to both ‘Apodis Pharma’ and its clients, but also to a large number of patients who have no idea about the exposure of their personal details. This includes scamming, blackmailing, and phishing, but messing around with the provision of medicare services is also possible.