‘Apodis Pharma’ Leaked Over 1.7 TB of Confidential Data Online

Written by Bill Toulas
Last updated September 25, 2021

The French digital supply chain management and software solutions provider ‘Apodis Pharma’ has misconfigured an ElasticSearch database for public access, essentially leaking over 1.7 TB of confidential business-related data. The client portfolio of ‘Apodis Pharma’ includes big pharmaceutical firms, so the particular data leak is considered a grave security event.

The discovery comes from researchers of CyberNews, who found the database online on October 22, 2020. The team informed the owner immediately, but they didn’t hear back from them, so they reached out to CERT France.

Eventually, the data was secured on November 17, 2020, and after CyberNews contacted the CTO of Apodis Pharma directly. Malicious actors must have accessed the publicly available data in the meantime, as it was already indexed in IoT search engines.

Here is what was available in the database:

While the mistake of leaving the database open to access by anyone with a web browser is undeniably an elementary one, the practice of storing such sensitive information in plaintext form is what complements the problem. If the data were at least encrypted, as it should have been, the misconfiguration mistake wouldn’t be as serious as it is.

As a result of this breach, the attackers may now inflict damage to both ‘Apodis Pharma’ and its clients, but also to a large number of patients who have no idea about the exposure of their personal details. This includes scamming, blackmailing, and phishing, but messing around with the provision of medicare services is also possible.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: