Security

What the Swedish government's data leak disaster can teach companies about third-party security

The Swedish Transport Agency outsourced IT work to third parties without mandating security clearance for staff, leading other nations to access sensitive government data.

The Swedish government is in a state of distress after a data leak from the Swedish Transport Agency (STA) released sensitive information on the country's military units and witness relocation program members, Reuters reported.

The leak can be traced back to 2015, when the STA outsourced the management of its database and IT infrastructure to two companies: IBM in the Czech Republic, and NCR in Serbia. IBM administrators were given full access to all data and logs, according to Swedish newspaper Dagens Nyheter. Meanwhile, the Serbian company maintained firewalls and communication.

While working with a third party isn't out of the ordinary, the STA reportedly uploaded its database onto cloud servers, and then accidentally emailed its contents in messages to marketers. Further, looking to speed up deployment and cut costs, the government agency bypassed critical security checks that would have prevented Czech and Serbian workers from handling servers with sensitive materials.

SEE: Hiring kit: IT vendor manager (Tech Pro Research)

The leaked data included personal details of everyone in Sweden's witness relocation program, as well as those of the country's elite military units, fighter pilots, air controllers, and citizens in a police register. It also included citizens' driver's license information, details of government and military vehicles, and data on Sweden's road and transportation infrastructure.

This means that workers in the Czech Republic and Serbia—the latter of which is said to have ties to Russia when it comes to sharing intelligence—were able to access these documents.

Many are calling this one of the largest government breaches in history.

"This is a disaster," Swedish Prime Minister Stefan Lofven said at a news conference last week. "This has exposed Sweden and Swedish citizens to risks."

Former STA director general Maria Ågren left her position in 2016, and was fined half of her monthly salary, which is 70,000 Swedish krona (around $8,500).

Sweden's security police Säpo discovered the leak in 2015, and reported it to the Justice Ministry that year. Information about the breach was only recently made public.

At the news conference, Lofven said the government was investigating the incident and would strengthen laws for handling sensitive material.

SEE: Cyber Security Volume I: Hackers Exposed (TechRepublic Academy)

"Unfortunately, Swedish citizens will experience years of identity, privacy, and national security issues due to the amount and type of data disclosed," said Forrester analyst Jeff Pollard. "It's an example of how your attack surface extends well beyond your enterprise, and how hackers are only one thing to protect against."

The incident shows a fundamental failure to understand the importance of information, and that anyone with access to sensitive data or intellectual property—including employees, third parties, and service providers—is a potential risk, Pollard said.

"One new paradigm of the data economy is that security teams once tasked with protecting information will need to enable sharing information while protecting it—a different but necessary approach," Pollard said. "In this case Sweden chose to give access to data to a service provider while willfully disregarding any aspect of protecting that data, and now its citizens will pay for those choices."

While third-party tech partners can help companies meet business goals more quickly, certain mistakes tend to spring up when organizations are seeking out and managing relationships with these partners. And bringing third-party vendors into your organization changes the threat landscape, as Conner Forrest reported for ZDNet. For example, in the much-publicized 2013 Target hack, a compromised vendor led to a data breach for the retail giant.

Click here to read more about mistakes to avoid when working with tech partners.

istock-465135327.jpg
Image: iStockphoto/BrianAJackson

Also see

About Alison DeNisco Rayome

Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.

Editor's Picks

Free Newsletters, In your Inbox