Data security lessons from the Swedish Transport Agency breach
Data security lessons from the Swedish Transport Agency breach

So far, 2017 has set a record pace for data scandals, with government figures suggesting that 46 percent of businesses have now experienced a digital attack. One of the most recent data disasters was suffered by the Swedish Transport Agency (STA). Unlike other reported cases of organisations suffering malicious attacks, the STA sent out thousands of citizens' private information to marketers across eastern Europe. The situation has rightly been heavily criticised by infosec experts as an enormous lapse in data security protocols.


The STA incident has attracted significant and derogatory criticism from the data security industry for several reasons. The biggest of which being that the organisation uploaded an unprecedented amount of citizens' data onto cloud servers, including the sensitive information about Air Force personnel, those on Police Registers and individuals in witness relocation who had been given protected identities. After an outsourcing job with IBM Sweden, these sensitive public records, which included the entire national driver's licence database, addresses and dates of birth, were emailed to thousands of marketers in Eastern Europe, who did not have the required security clearance to be accessing the information. What's more, they then resent a subset, consisting of just the sensitive records to the marketers, with a request asking for them to be deleted! Essentially, the data was emailed in an unencrypted, cleartext format, to thousands of un-vetted marketers across Europe. Twice!


Clearly, there were some simple, but devastating data handling mistakes made. But one positive thing that can be taken from this STA blunder, is that your company can use this disaster to start a conversation about your own data handling and protection strategies.


So here are three pieces of advice that you can take on board, to avoid becoming the next data security incident to hit international headlines:

1)     Do more than implement a data security perimeter

It is critical to ensure that all personally identifiable information (PII) is 100 percent obscured and encrypted when it's in-flight or at rest. That way, if data is emailed, or stored on an unprotected IT system or cloud server, whether deliberately or accidentally, even those employees with access to the files will be unable to view the sensitive data. Had the STA ensured proper encryption, this is a danger that they could have easily avoided.

2)     Don't hold data you don't need!

A key way to protect data is to ensure you don't store unnecessary information within IT systems. Ultimately, the risks of holding customer data are increasing day by day. Companies should be scrutinising their data management processes and identifying instances where they can remove PII.

In the case of the STA, reports suggest that the files included addresses of citizens in witness protection and members of the police force and military. Clearly, this is data that did not need to be in the possession of a transport department in the first place. A simple risk assessment would have identified the contents and restricted elements of the data, which could have easily reduced the impact of losing this data in the first place, by refusing to accept it or if they absolutely had to access it, quarantining the records away from the superset.

3)     Be diligent with your outsourcing

You must take real care to ensure that your own staff are trained in secure data handling practices. But if you decide to outsource, it's also crucial that you are working with trusted, vetted industry partners, who will make every effort to protect PII and put the necessary layers of data security in place. No matter what deal you've signed, your customers' data is always your responsibility, so you need to be aware of where it is and how it's being safeguarded.

In the STA's case, though it was its own employees that emailed the data to unauthorised parties, prior to this it allowed un-vetted employees of a third-party vendor to view the data. The message should be loud and clear that you can't leave data and data security in the hands of others – it's up to you to ensure you know who has access to your data.

Don't let it be you

Nobody wants to look back and find themselves to blame for their company exposing customer data. Whether it's malicious or accidental, the reputational and financial damage can be catastrophic. And with the EU GDPR on the horizon, and the UK government proposing its own version of the regulation – the UK Data Protection Bill –companies will be held accountable for their oversights. €20 million or four percent of global revenue is a steep price to pay, not to mention the loss of customer loyalty, significant damage your brand reputation and tumbling share prices.


At a time when customers are becoming increasingly wary of companies' data protection measures, securing PII is more important than ever.


Contributed by By Ben Rafferty, global solutions director of Semafone


*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.