News is unravelling this week about the Swedish government exposing not only the personal data on millions of its citizens, but also data on its road, military and transportation infrastructure. The incident occured in 2015 and the shockingly long time it’s taken to disclose is only the tip of the iceberg in this case.
The Swedish Transport Agency made the decision two years ago to outsource some of its IT and database management to companies in the Czech Republic and Serbia – which in and of itself is no big deal, it happens all the time in modern business. However, in the process of uploading databases to the cloud, some employees in both foreign national countries were granted full access to the data on Swedish citizens. This data included drivers’ licenses, personal details of people in witness protection, elite military units, fighter pilots, air controllers, those on a police register as well as details of government and military vehicles and Sweden’s road and transportation infrastructure info.
Let that sink in a minute.
With this kind of information, a person could potentially reconstruct Swedish military defense plans or use data about every military vehicle’s weakness – affecting every future deployment of Swedish forces at home and abroad. And the citizens in witness protection, army and Special Forces members could be exposed to the public. This isn’t just a data breach. It’s potentially warfare in the wrong hands.
And while this debacle cost the STA’s Director General Maria Ågren half of her monthly salary – a measly sentence in the grand scheme of things – under the new General Data Protection Regulation (GDPR), the fines would have been much higher. Public sector organisations should make no mistake, they will not be exempt from this regulation that provides a set of standardised data protection laws across all the member countries and applies to all countries that collect data on member countries‘ citizens.
While it may seem obvious to those of us in the know, sadly this kind of occurrence is more common than one might think. You only have to look back a few months to evidence this, from the largest ever US voter data breach to the Verizon data breach that exposed up to 14 million personal records. When dealing with sensitive and personal data, there is one rule of thumb to always live by: and that’s protect the data. Encrypting data before it goes to the cloud is the only way to guarantee it will be safe from prying eyes and unauthorised third parties.
Encryption is particularly important for any data containing Personally Identifiable Information on employees, customers, citizens, etc that goes outside the organization and into the cloud. Crucially, when protecting data with encryption, the organization should also maintain control of the encryption keys in order to uphold the integrity of its own data.
For organisations who want a complete solution, the eperi Cloud Data Protection (CDP) Gateway is ideal. It’s Open Source to eliminate the possibility of backdoors in the software that can be used by governments or nation states, handles all of the encryption key managment; and importantly the protection of the data is maintained, even when performing a search on the data. For public sector organizations where paperwork and data is a series of forms and fields, the eperi Gateway is also highly customizable, so it can recognize certain fields containing PII data and encrypt them accordingly. One useful feature in this particular case is the ability to control who sees the data; for example, reading access can be taken away from external admins, such at the Czech and Serbian third party companies, without affecting the ability for them to do their work and manage the databases.
If data protection isn’t on the top of the business agenda of any type of organization currently, the time is now to put it firmly there. No one wants to be the next big facepalm headline – learn the lessons; encrypt the data.