Sweden Exposes All the Data
How can any one group in a specific situation do just about everything wrong? The Swedish Transport Agency is making headlines now as the next big data breach, demonstrating levels of judgment that make George Costanza look wise.
Back in 2015, this government agency made a deal with IBM to migrate their data to the cloud. As a result, sensitive data was outsourced to third-party administrators in other countries. This one standard decision has now avalanched into a spectacular debacle. Due to time constraints, the former director of the agency, Maria Agren, decided to bypass the usual security checks. That was a mistake. Once uploaded to these third-party systems, it was open season, free access to Sweden’s most critical data, including that of its people. The database had been shared in its entirety. Information of all stripes was made public, including names, photos, addresses, vehicle registration, witness relocation, fighter pilots and SEAL team operators and just so much information you do not want being shared across the globe.
In their haste, the agency had put its citizens at risk. In 2016, the Swedish Secret Service indeed discovered that control of certain national IT systems were in unauthorized foreign hands.
Worse still, the countries to which the information had flowed, including the CR, generally have anti-EU agendas, which stand at odds with Sweden’s interests.
How thorough and complete was this faux pas? Swedish Pirate Party founder Rick Falkvinge writes, “Many governments have had partial leaks in terms of method (Snowden) or relations (Manning) laterly[sic], but this is the first time I’m aware that the full treasure chest of every single top-secret governmental individual with photo, name, and home address has leaked.”
The results of the shocking decision making on display here, however, were not over yet. Once they had discovered that the data had been sent to contractors and marketers in clear text, the agency’s next action was to…send another clear text email identifying the exposed data and asking recipients to delete it. Despite an ongoing investigation, there is currently no plan to revoke these international companies’ database access.
On top of all these blunders, it also came out that this incident was prefaced by another error: namely, firing all IT staffers responsible for guarding the data before the outsourcing occurred.
The penalty for this gross national negligence? Well, Agren got fined $8,500, and that’s about it.
Incidents like this highlight both the dangers of skipping security measures to save time, as well as the significance of being informed about the third parties you’re doing business with, along with any vulnerabilities they might have that can become a problem for you, too.