In a massive botched data transfer, Sweden’s Transport Agency sent information about every vehicle in the country to marketers. The agency believed it was moving the data to cloud storage via an outsourcing agreement with IBM, but apparently, the information was forwarded to third parties and the agency then tried to cover up the cyber security breach.
According to Pirate Party Founder Rik Falkvinge, who is also a key player at the Virtual Private Network (VPN) company Private Internet Access, a whole host of sensitive information was compromised. Several databases that may have had top-secret designation may have been included in the information security violation, including data on members of the military holding high-security positions, criminal suspects, and citizens in witness protection programs. The information breached included names, photos, and addresses.
Falkvinge also criticized the lack of punishment in the case. The department director found guilty in criminal court for being responsible for the incident was sentenced only to the loss of half of her monthly salary.
It also became clear that the response to the leak was lackadaisical, with the marketers who incorrectly received the information simply receiving a follow-up email requesting that they delete it with no follow-up. It has also been reported that IBM employees without security clearance outside of Sweden also had access to the information.
Itsik Mantin, the director of the cyber security firm Imperva, noted that, as with many network security breaches, this one was the result of lax internal protocols, not the efforts of hackers breaking into a database. Sensitive information was simply sent to a significant number of third parties who had no business having access to it.
