Greetings from Brussels!
The concept of big data comes with big responsibility and risk, and it doesn’t get any bigger than when a government service is involved. The recent media attention around the Swedish Transport Agency data breach puts a clinical perspective on the whole matter. Sounds un-Swedish, you might say, and you’d be right. One usually has positive thoughts when thinking of Sweden: social democracy at its best, sound and conscientious public organization, all things green and clean, cars with headlights that don’t switch off, affordable flat-pack furniture, and ABBA.
Well, this week turned into a very public fiasco for Sweden, when the Transport Agency exposed sensitive information by transferring its databases to a third-party cloud provider without following proper data protection policy and procedure. The breach occurred back in 2015, when the Transport Agency was going through a privatization process of its IT systems. The outsourcing arrangement meant that many of the records included sensitive information related to the Swedish military and the justice system, as well as individuals with protected identities and were left openly available to IBM workers in the Czech Republic and Romania. Details on security planning might have also been made available inadvertently. It has also emerged that the agency outsourced maintenance of its firewalls and networks to a company in Serbia, potentially exposing sensitive data further afield.
The debacle surrounding the case does not appear to be that the data has been inappropriately disseminated; there is no indication that this has transpired, with the Agency stating, “We do not see any direct cause for concern.” It is more a case of the political storm unleashed and a procedural issue, in that the agency ignored warnings over the outsourcing from the security services back in 2015. Moreover, it has come to bear that the agency also sidestepped a number of rules, with the then–agency director deciding to “abstain” from applying provisions under the National Security Act (data handlers not having the required security clearance), the Personal Data Act, and the Publicity and Privacy Act when dealing with the outsourcing contract.
Swedish Prime Minister Stefan Lofven described the situation as “extremely serious” and underscored the government’s commitment to ensuring that people “feel safe that their personal information and other sensitive information is handled correctly.” According to local broadsheet media, a number of parties in Sweden’s parliament have said they won’t rule out demanding a confidence vote in the ministers associated with the scandal. This could threaten the jobs of several ministers and possibly the center-left coalition government itself. Following an investigation by the Swedish security police, the former director-general of the Transport Agency was prosecuted, resulting in their dismissal in January for undisclosed reasons. Last month, the former executive was also fined SKr 70,000 (just shy of 7,500 euros) for being careless with secret information. I think quite possibly we haven’t heard the end of this story, and it may well have more sting in its tail.
On reflection, and at a time of mounting concerns about cybersecurity and data protection, it is poignant to be reminded of the need for organizations — both public and private — to thoroughly evaluate and understand the risk environment of their supply chains and third-party suppliers. Ultimately, with outsourcing, one needs to consider third-party (processor) arrangements as an extension of your own organization, so applying equal due diligence is paramount; there are no shortcuts. And, of course, it goes without saying that this is well provisioned under the upcoming GDPR.
Tread carefully out there.
If you want to comment on this post, you need to login.