Swedish ‘data leak’ a disaster — how’s your VCS doing?
Trust in a version control system (VCS) to protect your data.
Some of you may have heard about the disastrous data leak made by the Swedish government on million of citizens’ personal information earlier this week —check out a translated retelling of this colorful event here.
I repeat, millions of citizen’s files were exposed.
Normally, for a screw-up to be legendary, it needs the benefit of some time — something doesn’t just instantly become a legend. So it’s no surprise that even though this story is just now getting real attention, the initial screw-up occurred back in September of 2015. That is when the Swedish Transport Agency started outsourcing its database and IT service management to private companies like IBM.
Recently, new information has started to unveil what really happened. A series of reports by a Swedish newspaper began to bring more information to the public in earlier this month. The agency uploaded its data to IBM’s cloud servers, where it was accessible to people outside of Sweden who didn’t have proper security clearance. You read that correctly. There were no security permissions enforced around the files and data.
The compromised data included all the details you’d find on a vehicle registry: the names, photos, and home addresses of millions of Swedish citizens. That’s enough of a problem in and of itself. But, more sensitive information was released too — personal information on members of the military, secret special forces (SEAL-like teams), suspects wanted by police, citizens in witness protection, complete information about the model and condition of all military vehicles, and technical specs on roads and bridges. Really bad.
Wait it — gets better, the data was also available to all of the agencies IT workers in Sweden as they were being laid off. Meaning that disgruntled workers could download it for a short time.
Then, another breach occurred.
In March of 2016, the publicly available vehicle information was supposed to be made available to approved marketers who subscribe to a special database. Somehow, the database also contained the information of the thousands of people with protected identities. The Swedish Secret Service caught wind of the mistake and notified the agency. Since then nothing has really been revealed. Until now.
At a press conference on Monday, Prime Minister Lofven said that he’s known about the situation since January. He said that a review of internal policies would be conducted and he still has full faith in all his ministers. Opposition parties have indicated that they are considering putting a no-confidence motion in front of Parliament for debate.
So what can we learn here?
Central control and enterprise class permission management should be table stakes when storing information in the cloud. This cloud breach could have been mitigated with proper access control settings using enterprise version control. A single source of truth with full permission control and irrefutable audit traceability should be top of mind for CIO’s everywhere. We live in an interconnected world where more and more of your business is moving to to the cloud — don’t let that pressure side-step important security measures.
Rick Falkvinge, head of privacy at Private Internet Access and a founder of the Pirate Party, wrote in a blog that he believed this massive data leak demonstrates that governments were not reliable guardians of data.
“Let’s be clear: if a common mortal had leaked this data through this kind of negligence, the penalty would be life in prison….The leak is still ongoing and can be expected to be fixed maybe this fall, perhaps…” he said.
This statement has major implications across what we consider safe and who we consider being safe as it pertains to our private information.
I find it truly amazing that large entities are still able to get away with using services that don’t have enterprise class permission control. Enterprise Version control has — for years — had high grade and granular permission management. It is the gold standard in security for data in the cloud.
After reading this the main question you really should ask your IT director is:
Where is our mission critical data, and how are we ensuring that access to it is secure, and compliant?
If you want to find out more about enterprise version control and data leak protection feel free to contact me at jacek at assembla dot com, follow me here or on Twitter.