[BreachExchange] ‘Apodis Pharma’ Leaked Over 1.7 TB of Confidential Data Online

[Destry Winant]

https://www.technadu.com/apodis-pharma-leaked-1-7-tb-confidential-data-online/228431/

‘Apodis Pharma’ left online an unprotected database containing massive
amounts of sensitive data.
The data was not encrypted, and the chances of the actors having
accessed it are very high.
The event affects the company, its clients, and also a large number of
unsuspecting patients.

The French digital supply chain management and software solutions
provider ‘Apodis Pharma’ has misconfigured an ElasticSearch database
for public access, essentially leaking over 1.7 TB of confidential
business-related data. The client portfolio of ‘Apodis Pharma’
includes big pharmaceutical firms, so the particular data leak is
considered a grave security event.

The discovery comes from researchers of CyberNews, who found the
database online on October 22, 2020. The team informed the owner
immediately, but they didn’t hear back from them, so they reached out
to CERT France.

Eventually, the data was secured on November 17, 2020, and after
CyberNews contacted the CTO of Apodis Pharma directly. Malicious
actors must have accessed the publicly available data in the meantime,
as it was already indexed in IoT search engines.

Here is what was available in the database:

- An archive of confidential pharmaceutical shipment data, shipment
storage status, the precise times and locations of where the shipments
have been picked up by sellers or distributors, as well as the
quantity of pharmaceuticals in the shipments.
- An archive of 25,000+ partner and client organizations, such as
pharmaceutical laboratories and pharmacies, serviced by the Apodis
Pharma distribution platform.
- Two archives of products stored in Apodis Pharma client warehouses,
containing 17,324,382 entries and 32,960,114 entries each. The
archives include product data like product quantities and IDs, as well
as warehouse data.
- An archive of confidential product sales data containing 17,556,928
quarterly entries that include information such as sales dates,
locations, prices, and quantities sold between  Apodis Pharma clients
like pharmaceutical laboratories and pharmacies.
- An archive of user data containing 4,436 entries, including full
names of people who appear to be Apodis Pharma clients, partners, and
employees.
- Consumer and client data visualizations and analytics, including
consumer gender statistics, and presumably confidential client sales
and warehouse stocks charts.


While the mistake of leaving the database open to access by anyone
with a web browser is undeniably an elementary one, the practice of
storing such sensitive information in plaintext form is what
complements the problem. If the data were at least encrypted, as it
should have been, the misconfiguration mistake wouldn’t be as serious
as it is.

As a result of this breach, the attackers may now inflict damage to
both ‘Apodis Pharma’ and its clients, but also to a large number of
patients who have no idea about the exposure of their personal
details. This includes scamming, blackmailing, and phishing, but
messing around with the provision of medicare services is also
possible.