Sweden’s Transport Agency outsourced its databases to IBM in the Czech Republic, but it has now been revealed that the required security clearance checks were not carried out.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
As a result, the data about all vehicles in Sweden, including police and military vehicles, was accessible to IBM administrators in the Czech Republic, Swedish news site The Local has reported.
It has also emerged that the Swedish Transport Agency outsourced maintenance of its firewalls and networks to a company in Serbia, potentially exposing the sensitive data even further.
It is not illegal in Sweden to place data services in other countries, but according to public prosecutors, the Transport Agency failed to ensure those handling the data had the appropriate security clearances.
The exposed data reportedly includes the weight capacity of all roads and bridges, which indicates which could be used by the air force in wartime; details of all government and military vehicles; and personal details of fighter pilots, police force members, members of the Swedish military’s most secret units and everybody in Sweden’s witness protection programme.
The story first hit the headlines in Sweden when it emerged that former director-general of the Swedish Transport Agency Maria Ågren – who was fired for undisclosed reasons in January 2017 – had been fined half a month’s pay after she was found guilty of being “careless with secret information”.
According to a statement by the Transport Agency, Ågren disregarded Sweden’s National Security Act, Personal Data Act and Publicity and Privacy Act when setting up the outsourcing deal with IBM, which has declined to comment, according to the BBC.
The agency declined to detail what confidential information was contained it is databases, but said it did not have a register of military pilots. However the agency said it did have information about people with protected identities, but said there was no reason for concern.
The Transport Agency said it has begun a process to ensure that only people with security clearances will access to the data, but expects to have completed this process only by the autumn of 2017.
The story has raised national security concerns because of the close relationship between the Serbian and Russian intelligence services and is viewed in a very serious light, because a fine of half a month’s pay is the harshest sentence ever seen in Swedish government, according to Rick Falkvinge, head of privacy at VPN provider Private Internet Access and founder of the Pirate Party.
“If a common mortal had leaked this data through this kind of negligence, the penalty would be life in prison. But not when done by the government themselves,” he wrote in a blog post.
Register sent to subscribers
According to Falkvinge, in March the Swedish Transport Agency sent the entire register of vehicles to subscribers, but failed to remove the details of people in the witness protection programme and other similar programmes.
When this mistake was discovered, he said a new version without the sensitive identities was not distributed with instructions to destroy the old copy, but instead the sensitive identities were pointed out and named in a second clear text email with a request for all subscribers to remove these records themselves.
Kyle Wilhoit, senior cyber security threat researcher at DomainTools said that until organisations learn basic compensating security controls, data breaches of this kind will continue, and are likely get even worse.
“Things as simple as two factor authentication, and not sharing the same password across multiple accounts could be instrumental in stopping this kind of breach, he said.
An opportunity for cyber criminals
Wilhoit warned that cyber criminals will use a data breach of this size to create a healthy pipeline of future cyber crimes, beginning after the records have been sold on the dark web.
“This could be used to facilitate identity or banking fraud, as well as to send targeted phishing emails, leading to malware,” he said.
Joe Fantuzzi, CEO of RiskVision said the breach once again underscores the need for organisations to thoroughly evaluate and understand the risk environment of their third party suppliers.
“While understanding your own risk environment is a first step in improving risk posture, it’s far from the only step. Organisations that fail to assess third party vulnerabilities will be left with gaping blind spots that will leave them susceptible to breaches and cyber attacks down the road,” he said.
Ultimately, Fantuzzi said organisations need to truly consider third party environments as an extension of their own, and treat them as such from a security and risk perspective. “Only then will they be able to accurately see a big picture of their entire risk posture,” he said.
Limiting access to reduce risk
Ken Spinner, vice-president of Global Field Engineering, said the best way to reduce the risk of deliberate or accidental data exposure is to limit access to those who need it the most and to monitor data access so that when something suspicious happens, it can be caught before making global headlines.
Limiting data access and taking a privacy-by-design approach goes a long way in proactively protecting critical data, according to Spinner.
“Perhaps most importantly, government agencies – and any organisation that processes and stores sensitive data – need to establish and uphold strong cyber security and data protection practices: not only for internal use, but for all third party contractors as well,” he said.
Itsik Mantin, director of research at Imperva, said that with the surge in AI technologies that rely heavily on enormous volumes of data for making better decisions, securing it becomes a huge challenge for security officers.
“More users rely in their work on access to more data, and they need this access most of the time. With dynamic data access needs of users that are hard to predict, an attempt to harness the traditional approach of building a least-privilege access control system that grants each user with access to the data he really needs, is futile,” he said.
The ability to contain breaches where insiders and poor security processes are involved, said Mantin, depends heavily on the time it takes the organisation to detect the breach and reach the uncontrolled devices to which the data arrived.
“However, the problem with these breaches involving insiders and third parties is that no malware is involved and no penetration to the organisation happens, and leaving security mechanisms like firewalls and antiviruses totally blind to them,” he said.
“In order to obtain quick detection that may facilitate containment of such breaches, security controls should focus on access to business-critical data and users’ private data, monitor access, comparing access patterns to the ‘regular’ activity, and detect anomalous data access.”