I was preparing to write about anti-patterns for Privacy by Design, but after the IT-scandal in Sweden this week, I needed stronger words.
Computer Sweden found out that recordings for 2.7 calls to public care in Sweden were exposed on Internet by an outsourcing-partner in Thailand. (Their server was located in Sweden). These recordings contained personal information about adults and children, including health-related data, and in some cases their phone numbers.
All information was publicly avalible, without username and password. If you connected to the server with the adress http://184.108.40.206:443/medicall/., you got full access.
According to the article, the companies involved denied the problem or said they didn’t know the details of the technical solution.
Another source of information, not yet verified, pointed out that there servers had a number of know vulnerabilities due to un-patched systems. A third, un-verified, source said it was still possible to access the data by exploiting the vulnerabilities.
My clear verdict is that they have not thought of Privacy by Design, either from an organisational, an application or an infrastructure perspective.
I have asked the health care provider of which information they have stored about me, and if my calls to healthcare are in the leak.
To be continued....