On Monday, news outlet Computer Sweden broke the news that millions of calls to a national Swedish health care adviser were openly available on the internet. Here is a summary in English. In short, they were recording calls for years, put them on a NAS and connected it to the internet, unencrypted, with no password protection. Caller phone numbers were displayed in the file names.
Why is this funny? It isn’t. It is extremely serious, and I sincerely hope that we fill see massive fines, people lose their jobs, and perhaps some more severe criminal charges brought against those whose negligence caused this.
But it is also funny. Because the incompetence reads like a Monty Python sketch, or like the “front fell off” video.
I made a Facebook post in Swedish that got some attention, so I figured I would make it available to you English speakers out there as well. I know most of the conversation on this is going on in Swedish, so I want to make sure you get in on the tragedy/comedy. At the bottom of the post, I’m collecting my favorite quotes. Read ‘em and weep.
Here’s the original post. English translation below. I have truly made my best effort to convey the silliness. Some quotes may sound badly translated, but I assure, they sound just as inane in Swedish. I’ll drop sic markers in liberally to avoid any confusion.
I know I have many friends and acquaintances who are not familiar with IT jargon, which is naturally being used a lot by the culprits in this matter as they defend themselves. I’m sure many of you feel that this was a serious accident, something unpredictable, an unfortunate but inevitable side-effect of digitalization.
This is not the case.
Every coder I have read, heard and talked to are thrown between bursting into laughter and bursting into tears. Every interview about this sounds like a Monty Python sketch.
It is painfully obvious that no one involved in this knows the first thing about computer security, and barely anything about IT. Digitalization did not cause the 11771 fiasco. Absurd levels of incompetence were the cause. Truly absurd.
So this seems like a problem with procurement, and consultants promising much while knowing little. The whole thing seems like a systems-level Dunning–Kruger effect: people have so little knowledge that they don’t realize how little they know, so they assume their solutions are alright. They also don’t grasp how little everyone else involved knows, and suddenly the blind are leading the blind. It takes very small amounts of competence to realize that data of this sensitive nature requires extra care, that you need to find out what you don’t know, that you need to ask for help. Not just connect the damn thing and cross your fingers.
In this status, I will collect my favorite quotes from involved parties in this debacle as I come across them because this is comedy gold. The stupidity is mind-numbing.
Tommy Ekström, CEO of Voice Integrate Nordic AB, the ground-zero of the breach
- “It’s an internal hard drive, so to speak, that isn’t password protected since it’s only accessible from the computer it’s connected to.2”
- “A regular person can’t do it, but those who are knowledgeable about these things could perform some sort of special command move [sic] and sneak in through the back.3”
- “It’s comparable to a personal home hard drive. You don’t perform surveillance for breaches, because it can’t be accessed.”
- “For some reason, it has gotten its own little[sic] cord to the Internet. It wouldn’t have hurt if no one knew this server had this problem[sic], but Computer Sweden found out.”
- “You can’t protect yourself 100 percent from these things, but we have to look over our routines, and we’re doing that now. If we upgrade this kind of servers we have to check if they are connected to the Internet. Like a checklist when you land an airplane. These kinds of incidents are caused by having many people in rotation, not any intentional mischief.4”
- “But it turns out even the simplest hard drive is accessible if it’s connected to the Internet.”
- Tommy Ekström said they have now pulled the Internet cord and closed the server off from the Internet5.
- According to Ekström, 55 files have been downloaded from the drive, “many of them duplicates”.
- Tommy Ekström says that Voice Integrate Nordic is initially investigating themselves, but external auditors may become involved later. “We have people who are extremely competent in these matters.6”
- “They don’t have to worry, their information is not released [sic]. The files that have been downloaded is not a large quantity, and we know who they are.7”
- “At the same time, if you have advanced technology [sic] you can’t protect yourself against everything.8”
- “These days it’s not as easy as just having a server with everything on it, it’s a bunch of hassle with lots of people involved, lots of parts outside our own company.”
- “We use Applion9 because their certificate handling is so good.10”
- “Are you saying there is no username and password for the server?”
- “That someone probably, when updating at some point, seen that there was a free networking cable slot, and I guess they thought, some technician: ‘Aha, there should probably be a cable here, but it fell out [sic]’, and then they have connected a networking cable, so that it’s become connected to the Internet. That is just, like, how you do these things.11”
Davide Nyblom, CEO of MediCall, confronted with the news
- We have checked with our IT department, and what you are saying is completely impossible.”
Voice Integrate Nordic’s website 2019-02-20
- “The server is no longer accessible because we have ‘PULLED THE CORD’ [sic] and we are continuing to analyze what happened.”
- “We have taken some ‘flak’ for this event, but we are trying to stay focused on minimizing damage and correcting the error.12”
- “February 18 a breach was detected at MediCall’s and MedHelp’s subcontractor Voice Integrate Nordic AB.13”
- “The server is located in Sweden and no patient data or personal information is stored outside Swedish borders.14”
Björn Arkinger, business area manager at MedHelp
- When asked why they don’t hire penetration testers: “Well, that’s a good question. I mean, one should be aware that these kinds of solutions are handled by very complex systems. It’s hard.15”
- “I would say that the average person is knowledgeable enough to reach them. You had to perform a port scan on the server, and it would take a certain amount of effort.16”
These very 90s websites:
DN, ComputerSweden, Aftonbladet, P1
I’m not a security expert. I’m just a computer scientist, I work a lot with computers, and I hang around people who are much better at networking and security than I am. So I don’t know what is best practice, and I’m sure there are things that sound silly to me that are actually reasonable, as well as quotes I find completely normal that are actually madness. Please let me know.