The French digital supply chain management and software solutions provider Apodis Pharma exposed a massive trove of confidential business-related data, including pharmaceutical sales data, full names of Apodis Pharma partners and employees, and more.
The leak was discovered by the CyberNews researchers who found an unsecured, publicly accessible Kibana dashboard of an ElasticSearch database containing over 1.7 TB of data. The exposed database included several archives with information related to pharmaceutical shipments (shipment storage status, the precise times and locations of where the shipments have been picked up by sellers or distributors, as well as the quantity of pharmaceuticals in the shipments), partner and client organizations, products stored in Apodis Pharma client warehouses, confidential product sales data, user records (including full names of people who appear to be Apodis Pharma clients, partners, and employees), and consumer and client data visualizations and analytics.
At present, it is not clear who had access to the exposed data, however, the researchers said that the database has already been indexed on at least one popular IoT search engine meaning that the data has likely been accessed and downloaded by third parties.
The investigation team said they discovered the database on October 22 and attempted to contact Apodis Pharma over the issue, but without success. The team then reached out to CERT France in order to help secure the database, but more than two weeks later, the database was still publicly accessible. Eventually, the researchers contacted directly the Apodis Pharma CTO Mathieu Bolard on November 16, and the database was secured the following day.