The Swedish Transport Agency provided unscreened third-party IT workers with full access to all information on Swedish vehicles, including those belonging to the police and military, The Local reports.
Management of the Swedish Transport Agency’s vehicle and license registry was outsourced to IBM administrators in the Czech Republic in 2015 without security checks.
Because it was being handled under time pressure, the director-general at the time “saw no other option than to bypass the usual security rules,” The Local reports.
According to Infosecurity Magazine, the exposed information includes vehicle registration data for every Swedish citizen, data on all government and military vehicles, weight capacity of all roads and bridges — and the names, photos, and home addresses of air force pilots, police suspects, elite military operatives, and people under witness protection.
Worst Leak Ever
Swedish Pirate Party founder Rick Falkvinge called the breach the “worst known governmental leak ever,” noting, “Sweden’s Transport Agency moved all of its data to ‘the cloud,’ apparently unaware that there is no cloud, only somebody else’s computer.”
“Many governments have had partial leaks in terms of method (Snowden) or relations (Manning) laterly, but this is the first time I’m aware that the full treasure chest of every single top-secret governmental individual with photo, name, and home address has leaked,” Falkvinge wrote.
The entire register was also sent to marketers last March — that’s common practice, since the basic registry is public information, but the list sent to marketers included people in the witness protection program.
When that happened, Falkvinge wrote, “the sensitive identities were pointed out and named in a second distribution with a request for all subscribers to remove thes:e records themselves. This took place in open cleartext email.”
Third Party Risks
RiskVision CEO Joe Fantuzzi told eSecurity Planet by email that the breach once again underscores the need for organizations to evaluate and understand the risk environment of their third party vendors.
While understanding your own risk environment is an important step in improving your risk posture, Fantuzzi said, it’s far from the only step.
“Organizations that fail to assess third party vulnerabilities will be left with gaping blind spots that will leave them susceptible to breaches and cyber attacks down the road,” Fantuzzi said. “Ultimately, organizations need to truly consider third party environments as an extension of their own, and treat them as such from a security and risk perspective.”
A recent Gemalto survey of 1,050 IT decision makers worldwide found that while 94 percent of respondents believe perimeter security is effective at keeping unauthorized users out of their networks, 65 percent aren’t extremely confident their data would be secure if perimeter defences were breached.
And although 55 percent of respondents don’t know where their sensitive data is stored, 59 believe all their sensitive data is secure.
Sixty-eight percent of respondents believe unauthorized users can access their networks.
“It is clear that there is a divide between organizations’ perceptions of the effectiveness of perimeter security and the reality,” Gemalto vice president and chief technology officer for data protection Jason Hart said in a statement. “By believing that their data is already secure, businesses are failing to prioritize the measures necessary to protect their data.”