Content, Governance, Risk and Compliance, Breach, Channel markets, EMEA, Vertical markets

Sweden Government Data Leak: Don’t Blame IBM Outsourcing

Sweden's Transport Agency apparently leaked government secrets that potentially included details of military personnel, according to Financial Times. Although the leak may have involved confidential information flowing from Sweden to IBM, there's no indication that IBM did anything wrong as part of an outsourcing relationship with the country, according to BBC.

Sweden Prime Minister Stefan Lofven called the leak a disaster that's "extremely serious," the Financial Times report said.

Still, much of the coverage is quite vague since the Transport Agency has declined to disclose exactly what information may have been left open for IBMers to see. Multiple reports say the leak involved confidential data about military personnel, along with defense plans and witness protection details, the BBC said.

Sweden Government Data Leak: Lengthy Silence

Several developments are further flaming the fires of concern. For starters, Lofven has known about the leak since January 2017, while the interior and dense ministers learned of it roughly 18 months ago, the Financial Times said.

The fallout includes Maria Agren, a former transport agency leader who was fired in January 2017 and later fined for being careless with secret information, several reports said.

According to an FAQ from the transport agency, the agency signed an outsourcing contract with IBM Sweden. However, Ågren decided to abstain from the Security Act, the Personal Data Act and the Publicity and Privacy Act as well as the Authority's own guidelines for information security requirements, the FAQ says.

By January 2016 prosecutors were looking into the situation, which led to Agren's firing in January 2017 and the start of a criminal investigation in June 2017, the FAQ says.

Making It Easy for Hackers

This leak is the latest in a growing list of major security lapses worldwide that involved careless enforcement of business processes or software settings.

“Unlike breaches where malicious users target vulnerable systems, this leak of personally identifiable information was the result of carelessness," said Rich Campagna, CEO of Bitglass. "Unrestricted access to personally identifiable information and limited recourse in terms of recovering that data are both serious gaps in security.”

Many of this year's biggest leaks involved customers or outsourcing partners storing data on Amazon Web Services without properly activating Amazon's built-in security features.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.