Believing it was moving sensitive data to the cloud under a 2015 outsourcing agreement with IBM, Sweden’s Transport Agency inadvertently sent information on every vehicle nationwide to marketers that subscribed to it and then allegedly covered up the leak, with only a slap on the wrist to the agency’s director.
“Sweden’s Transport Agency moved all of its data to ‘the cloud,’ apparently unaware that there is no cloud, only somebody else’s computer,” Pirate Party Founder Rik Falkvinge, who heads up privacy at Private Internet Access, a VPN provider, wrote in a blog post. “In doing so, it exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation. Names, photos, and home addresses: the list is just getting started.”
Falkvinge derided the punishment meted out by Swedish courts. “The responsible director has been found guilty in criminal court of the whole affair, and sentenced to the harshest sentence ever seen in Swedish government: she was docked half a month’s paycheck,” he said of the agency’s former director-general, Maria Ågren.
Even after discovering that the database had been sent to marketers in clear text, the agency simply asked them to delete the list and sent out a new list. Not only was the information available to those who received the email but could be accessed to IBM employees without security clearance working in the Czech Republic, TheLocal reported, citing an article in Dagens Nyheter, a Swedish newspaper, which allegedly had viewed documents from a probe by the Swedish Security Service, Säpo.
“Like many of the breaches, this data breach is not the result of hackers penetrating the organization and stealing data from it, but involves, according to what was published, third-parties having access to highly sensitive database that could steal it, and an employee that accidentally sent this database to a long list of unauthorized recipients,” noted Itsik Mantin, director of security research at Imperva. “The fact that the database had left the transport agency and reached uncontrolled devices, leaves little optimism for who has a copy now.”
Containing a breach of this nature, Mantin said, “heavily on the time it takes the organization to detect the breach and reach the uncontrolled devices to which the data arrived.” But because leaks through insiders and third parties don’t include malware or penetrate an organization, firewalls and antivirus solutions are “totally blind to them,” he said,urging companies to train their focus on controlling and monitoring data access.