Swedish cloud data bork bork borked
Sometimes a company’s staff can be a bigger security liability than malware or hackers, as was the case with the recent Swedish transport agency database situation.
Two years ago, the Swedish government outsourced the management of its transport agency databases and networks. Unfortunately, it appears that no form of network separation was applied to keep sensitive military and law enforcement data apart from routine vehicle registrations. Everything was, in effect, thrown into one cloud. What’s the worse that could happen?
Ah yes, the exposure and leaking of pretty much any and all the data help. That. That’s the worse that could happen. And it seems it has.
The database included details of every vehicle in the country, including police and military ones. What’s more, reports suggest, it also included details of people on witness protection programs members of special forces; all of whom require secrecy when it comes to identification. Now it seems that all this information, and more, was ‘exposed and leaked’ through sheer incompetence.
While it would be easy to blame the contracted provider, in this case IBM, I think there needs to be a little more digging done than that.
Not least because from what I can gather this was a case of the transport agency sending the entire database to marketing companies on a subscription list. Yes, you did read that right; and it gets worse. That emailed list was in clear text.
Of course, when it became apparent what had happened action was taken. Unfortunately that action just compounded the bork bork bork nature of the incident: a new list was sent and the recipients were asked to delete the original one. Doh!
Not that IBM is completely off the hook, as the question remains just why all that data would be thrown into the one cloud database rather than following the accepted best practise of separation when it comes to highly sensitive information of this nature.
Equally, surely someone either at the transport agency or within the IBM security team should have flagged that IBM workers (staff and contractors) outside of Sweden had access to the database, and therefore the sensitive, military and law enforcement, data without requiring the necessary security clearance.
Things haven’t got a whole lot better when the fiasco became out in the open. Not helped by a security agency report into the affair being redacted to such a degree that one media outlet claims it was impossible to determine if national security was compromised or not. Which, I suspect, was the point of the redaction.
The former head of the Swedish transport agency was docked half her monthly salary at the start of the year after pleading guilty to ‘being careless’ with the information. And the current director general has assured the watching world that the systems will be secure by the Autumn. Oh, well, that’s all OK then!
The Swedish Prime Minister, Stefan Lofven, has now stated that there are plans to tighten outsourcing rules and an investigation is underway in order to reassure people that the government took seriously the need to handle their data correctly.
Itsik Mantin, director of research at Imperva said: “Like many of the breaches, this data breach is not the result of hackers penetrating the organisation and stealing data from it, but involves according to what was published, third-parties having access to highly sensitive database that could steal it, and an employee that accidentally sent this database to long list of unauthorized recipients.
“The fact that the database had left the transport agency and reached uncontrolled devices, leaves only little optimism for who can have a copy now. The ability to contain such breaches depends heavily on the time it takes the organisation to detect the breach and reach the uncontrolled devices to which the data arrived. However, the problem with these breaches involving insiders and third-parties is that no malware is involved and no penetration to the organisation happens, and leaving security mechanisms like firewalls and anti-viruses totally blind to them. In order to obtain quick detection that may facilitate containment of such breaches, security controls should focus on access to business critical data and users private data, monitor access, comparing access patterns to the regular activity, and detect anomalous data access.”