While Sweden’s IT Breach Threatens Its Government, America May Be Headed Down The Same Road
Sweden’s massive data breach is not just a national crisis, it’s a dire warning to other countries.
When you work in IT, you often find that some people in charge have a shockingly blase attitude towards handling vast amounts of data. As costs of storage plummeted, governments and corporations are hoarding a whole lot of data that are often interconnected in unexpected ways, and not taking the time to track those links down is sadly common. But really, with oceans of bits and bytes what’s the worst that could happen if you cut that corner? Well, if you’re the director of the Swedish Transport Agency, it will get you fired. And possibly bring down your government in the process.
If you’re looking for the story of a hack that put a government in peril, this isn’t it. No, this is the story of a facepalm-worthy feat of ignorance. In short, the Swedish Transport Agency made a deal with IBM Sweden to manage a few databases and handle vehicle registrations electronically. Nothing about the deal was unusual in any way except for one little thing: the STA did not limit the company’s access to government databases, and contractors as far as Eastern Europe were able to look at classified information.
This data was a jackpot for any spy or criminal. It had the identities and full personal information of many undercover police and security agents, as well as those gathering covert military intelligence. This is on top of the personal data of millions of Swedish nationals, including people who were in witness protection programs. So it’s little wonder that Prime Minister Stefan Lofven called the whole thing “a disaster” and the nation’s lawmakers are furious enough to seriously plan for a vote of no confidence after a summer recess, which can dissolve the sitting government and trigger new elections.
By far the biggest worry was that Czech nationals would be working with extremely sensitive data, which is why the nation’s security service, Sapo, tried to oppose the deal as it was, fearing any data breach could end up in the hands of Russian spies. However, the contract was approved over their objections, and while we don’t know for sure the relevant data wasn’t sold off by enterprising contractors to an adversarial foreign power, Sweden’s government can’t completely rule it out. This is why Defense Minister Peter Hultqvist is likely to get the boot should the vote of no confidence pass.
Calling this chain of events a disaster is an understatement. It could very well be the worst known IT mishap so far, considering the sheer scope and context of exactly what happened. But what makes it so disconcerting isn’t even the breach itself, it’s the fact that it was entirely self-inflicted by a few political appointees who failed to appreciate the scope of their work, heed the experts’ advice, and secure their own data. If Russian intelligence has a detailed list of Swedish undercover agents, it’s because Sweden indirectly handed it to them, not because they hacked into one.
The United States would be wise to learn from this too. The data sought by Kobach’s voting commission, aside from its obvious goal to taint elections in the future with the specter of non-existent fraud, is asking for information that would be ideal for identity fraud schemes. It may not be enough to get credit cards in someone else’s name, but plenty to impersonate victims over the phone and gain access to information that would let them max out existing cards and drain bank accounts.
Mishandling this data will have significant consequences, and considering just how bad the people involved are at the basics of cybersecurity, there’s an extremely high chance this information will fall into the wrong hands, at least in part. But considering the sheer scope of what they’re seeking, even small breaches would turn millions of voters into unwitting victims of those lurking on the dark web, buying personal information in bulk. And in fact, someone seems to be trying to pull off a similar gambit right now by using public voter rolls available from every state for a fee.
This is why Sweden’s case should be a warning to any government where an appointed politician who may not have any technical expertise is empowered to make deals that involve gathering and handling sensitive data, or may be tasked with securing it. We saw the consequences of appointees failing to do their jobs correctly, and while it’s unlikely that every incident will create as dire of a situation as Sweden’s, especially in nations without a parliamentary system of governance, there will be a painful and expensive fallout.
As we rely more and more on vast databases and complex computer systems to do just about everything, we need to let experts have the ultimate say in how it’s handled, and conduct frequent security audits to make sure all our data is safe. Likewise, we also need plans for how to proceed if that data is ever breached and laws that give those experts and audits teeth. And just as importantly, we need lawmakers who understand just how important this is. Maybe watching their colleagues in Sweden losing their jobs for failing to do just that would be a good wake up call.