French healthcare software company Apodis Pharma was notified that their private data was publicly accessible on an unsecured ElasticSearch database which was discovered by the investigation team at CyberNews. Included in the 1.7TB of data was information such as pharmaceutical sales data, full names of Apodis Pharma partners and employees, client warehouse stock statistics, pharmaceutical shipment locations and addresses, as well as other business-related data. It is unclear who had access to the database, but it has definitely been seen by quite a few people as it has already been indexed at least once. When the exposed database was first discovered by CyberNews, they contacted Apodis Pharma and did not get a reply. Nearly a week later CyberNews then reached out to the Computer Emergency Response Team (CERT) in France and the CERT’s efforts to inform Apodis also failed. Nearly three weeks after communication attempts were made, the database was still available to the general public. Mathieu Bolard, the CTO of Apodis Pharma was reached out to directly and had the issue fixed almost immediately.
It is essential to know who has access to ElasticSearch or any other databases hosted on any server with an IP address that can be publicly accessed and also to make sure that they are adequately secured. At the very least a strong username and password combination should be required to gain access. To avoid an issue where data is deleted or encrypted by a threat actor, the data should also be backed up offline. An in-depth guide on how to avoid a situation like this can be found in the ElasticSearch blog: https://www.elastic.co/blog/how-to-prevent-elasticsearch-server-breach-securing-elasticsearch