This is... insane. 2.7 million phone calls, containing the most sensitive information imaginable, just available on an unsecured server. Many of the files indexed by phone number, making it trivial to look up any given person. This has got to be one of the worst data breach in history.
The article contains a gold nugget in a partial interview with Davide Nyblom, the CEO of Medicall, the company responsible. When asked for comment by the magazine:
Davide Nyblom: "I've checked with our IT, what you're saying is not possible."
Reporter: "I have the files in front of me."
Davide Nyblom: "I've checked with our IT, and it can't happen".
Reporter: "Do you want me to play you one of the files?"
Some context: In Sweden, one can dial 1177 to receive medical advice for anything that isn't an urgent life and death situation. The trained medical staff at the 1177 call centers give advice at the best of their ability, or see to that the caller goes to an emergency room, schedules an appointment or even has an ambulance, when applicable.
Now, some of these calls apparently get routed to an off-shore operation in Thailand, were Swedish expat staff help out during off hours and such.
The publication Computer Sweden found that every call forwarded to this call center laid open for anyone with internet access to download or stream. All that was needed was a URL - there weren't even any password credentials needed.
All in all, 2.7 million calls were affected, from 2013 and up until the very moment Computer Sweden contacted the responsible company, and had them up their security.
I can't even start to fathom the vastness of this breach of integrity.
Fine them off the surface of the planet. This is just beyond bad. It is not just something that happens. The amount of failsafes that should have triggered before something like this should be so high that the probabilities should be indestinguishable from 0.
Apparently it is only calls from three län (administrative regions), but only because the others didn't use the service of the company in question.
This must be one of the worst breaches I've ever heard of. Imagine if this archive is leaked and someone made it searchable or something. I wonder what the chances are that someone has downloaded this. Probably not that high, but at the same time it was just plain old HTTP with directory listings and waw/MP3 files. Not completely unfeasible that someone is crawling stuff like that.
Sweden is joke when it comes to privacy. Yes, in Sweden GDPR applies, but in practice is not applied at all. Just type in Google the name of any resident in Sweden and you´ll get a bunch of companies providing information about full name, address, picture and directions to where they live, indications of where to turn, right, left, to go to the flat where the person lives, how much they make, whether they are married or not, own a car, a house an apartment, etc.
All because the public agencies sell personal information which has not been anonymised.
The Swedish Data Protection agency is another joke. Have they said anything about this? I wonder if they are going to do anything at all.
According to the GDPR the region government as well as any other company or organisation should have contracts in place with reliable providers and they are responsible when going into a contract with some one who is not reliable, so the 1177, the region government, Medicall, etc, they are equally responsible.
While you are right that data like your address is freely available it should be mentioned that data like your income is a bit more ”protected”. One has to pay for it (and AFAIK there is a limit on the number of items a private person can buy) and the person whose data is queried is notified about such query (who asked what). Also some info is not so detailed as it may seem first. What does it give you if I say that I own a Volvo in the country where 30% of cars are Volvo?
EDIT: spelling
The article contains a gold nugget in a partial interview with Davide Nyblom, the CEO of Medicall, the company responsible. When asked for comment by the magazine:
Davide Nyblom: "I've checked with our IT, what you're saying is not possible."
Reporter: "I have the files in front of me."
Davide Nyblom: "I've checked with our IT, and it can't happen".
Reporter: "Do you want me to play you one of the files?"
[hangs up the phone]