Unscreened third-party IT workers were provided full access to the information of vehicles including police and military by the Swedish Transport Agency. Management of the operations were outsourced to IBM administrators without security checks in 2015.
According to the reports, as the data is handled in time pressure for this activity, there was no option to transfer bypassing standard security protocols.
Affected information included vehicle registration data for every Swedish citizen, data on all government and military vehicles, weight capacity of all roads and bridges — and the names, photos, and home addresses of air force pilots, police suspects, elite military operatives, and people under witness protection.
As per the Swedish Pirate Party founder Rick Falkvinge the breach is the “worst known governmental leak ever,” noting, “Sweden’s Transport Agency moved all of its data to ‘the cloud,’ apparently unaware that there is no cloud, only somebody else’s computer.”
“Many governments have had partial leaks in terms of method (Snowden) or relations (Manning) lately, but this is the first time I’m aware that the full treasure chest of every single top-secret governmental individual with photo, name, and home address has leaked,” Falkvinge wrote.
The entire register was sent to marketers which also included people in the witness protection program.
When that happened, Falkvinge wrote, “the sensitive identities were pointed out and named in a second distribution with a request for all subscribers to remove these:e records themselves. This took place in open clear text email.”
RiskVision CEO Joe Fantuzzi mentioned the risk of third party vendors.
While understanding your own risk environment is an important step in improving your risk posture, Fantuzzi said, it’s far from the only step.
“Organizations that fail to assess third party vulnerabilities will be left with gaping blind spots that will leave them susceptible to breaches and cyber attacks down the road,” Fantuzzi said.
“Ultimately, organizations need to truly consider third party environments as an extension of their own, and treat them as such from a security and risk perspective.”
____________________________________________________________________________________________
Alertsec is powered by Check Point Endpoint Security products, which are positioned in the leader’s quadrant in Gartner’s Magic Quadrant for Mobile Data Protection.