The Swedish Transport Agency (Transportstyrelsen) has been all over the news recently because of the way they have (not) handled access permissions to their data. Data that includes sensitive information about government and military vehicles, drivers’ licenses with photos, and infrastructural information about roads, railways and bridges. The full extent of the breach is yet to be determined, so there is most likely more to come.
What do we know so far? Let’s break down the events.
In 2015, the Swedish Transport Agency outsourced its IT operations to IBM, which has many subsidiaries in Eastern Europe. This took place despite warnings from the Swedish Security Service (SÄPO). When making that decision, the then general director Maria Ågren disregarded several Swedish laws protecting personal data, including the Personal Data Act (PuL). Among other things, it was decided that some IT-personnel would not have to go through the standard security clearance checks in order to get permission to handle the data. This meant that foreign IT-personnel had access to, and could possibly spread extremely sensitive information. The scandal has also reached parliamentary level as it has been revealed that several high profile politicians in the Swedish government had known about it for some time.
This case is quite interesting from a GDPR perspective. If this embarrassing episode had occurred after May 25th 2018 there would have been discussions around fines amounting to €20 000 000, due to the agency having transferred large amounts of personal data to a third country. But, they have also made violations to existing Swedish law related to national security.
The GDPR, that will replace PuL in May 2018, as well as information security best practice in general, are adamant in the way access to data should be handled. Some practices are de facto standard, for example the principle of least privilege, Role Based Access Control and business justification. All of these appear to have been circumvented in the Transport Agency case. Because of still unknown reasons, the agency decided that it was more important to provide access to external engineers than to consider information security standards and protection of personal data.
We still do not have the complete picture, but everything points to an extremely poor information security culture in the top management of the agency. But, if I have understood it right, the agency’s system engineers felt obligated to report the activities, as they could not quietly let this happen. It is at least reassuring that the engineers who were directly involved reacted!
This scandal further emphasizes the importance of prioritizing compliance from a buyer perspective, as well as educating yourself on security standards and laws protecting personal data. If you adhere to security standards, e.g., ISO 27001 or PCI DSS, it is unlikely that you’ll end up experiencing the same mess the Transport Agency now finds itself in. The security standards have been developed over many years always considering best practices and following business development to facilitate and remain relevant. They are not flawless and you can still create a mess even if you are certified, but there are a lot of built-in countermeasures to help you avoid embarrassing situations such as this one.