The number 1777 is the Swedish Healthcare Guide service, a hotline for healthcare information. What a helpful and nice initiative, you may think, and it could’ve been were it not for the complete lack of security of the server storing the calls.
It turns out that between 2013 and 2018 the open server could be accessed without using any login credentials. At the same time, it stored around 170,000 hours worth of phone calls containing sensitive information. In around 57,000 of these phone calls, callers were shared personal medical information like social security numbers while looking for advice. All of the calls were recorded to have filenames which also featured the caller’s phone number.
Recording sensitive phone calls isn’t unusual, in case the users are being promptly informed that the call is being recorded, but the fact that the server required no authentication to access it, is a major issue – one that could potentially lead to GDPR probes. It turns out that 2.7m sensitive calls could be accessed just by having the IP address and a web browser. The calls could be viewed in list form, dated, and either played straight in the web browser or downloaded as a .mp3 or .wav file.
Access to the server has now been blocked.