News broke yesterday that the Swedish transport agency suffered a major data breach, and then subsequently attempted to cover it up. Following the outsourcing of its databases and networks to, every conceivable top secret database was leaked: fighter pilots, SEAL team operators, police suspects, people under witness relocation. IT security experts commented below.
Ken Spinner, VP of Global Field Engineering at Varonis:
“IT outsourcing and lax data security practice strike again: this time in Sweden, compromising government documents, sensitive personally identifiable information on citizen and military data, criminal records – even details on confidential witness protection programs.
We see this time and time again, and what have we learned? Nobody can be exempt from data privacy laws and security policies that are put in place to protect citizen information.
Exposing this type of data – and this much of it – is a huge red flag: not only can critical data and research be compromised, but personal data can be leveraged to breach more secure systems. Not to mention the potential fallout from witness protection information being publicly available, details on secret military units, and other data that can be damaging to a government and its citizens.
The best way to reduce the risk of deliberate or accidental data exposure is to limit access to those who need it the most – keeping sensitive data locked down – and to monitor data access so that when something suspicious happens, you can catch it before it turns into global headlines.
By strengthening data protection practices — adopting a least privilege approach and monitoring user behaviour — organisations (and indeed, governments) will not only bolster their cybersecurity defenses, but they’ll be more protected against data leaks, insider threats and sophisticated cyberattacks as well.”
Itsik Mantin, Director of Research at Imperva:
“With the flourish in AI technologies that rely heavily on enormous volumes of data for making better decisions, securing it becomes a huge challenge for security officers. More users rely in their work on access to more data, and they need this access most of the time. With dynamic data access needs of users that are hard to predict, an attempt to harness the traditional approach of building least-privilege access control system that grants each user with access to the data he really needs, is as futile as herding cats.
Like many of the breaches, this data breach is not the result of hackers penetrating the organisation and stealing data from it, but involves according to what was published, third-parties having access to highly sensitive database that could steal it, and an employee that accidentally sent this database to long list of unauthorized recipients.
The fact that the database had left the transport agency and reached uncontrolled devices, leaves only little optimism for who can have a copy now. The ability to contain such breach depends heavily on the time it takes the organisation to detect the breach and reach the uncontrolled devices to which the data arrived. However, the problem with these breaches involving insiders and third-parties is that no malware is involved and no penetration to the organisation happens, and leaving security mechanisms like firewalls and anti-viruses totally blind to them. In order to obtain quick detection that may facilitate containment of such breaches, security controls should focus on access to business critical data and users private data, monitor access, comparing access patterns to the “regular” activity, and detect anomalous data access.”
Kyle Wilhoit, Senior Cybersecurity Threat Researcher at DomainTools:
“Until organizations learn basic compensating security controls, this will continue, and likely get even worse. Things as simple as two factor authentication, and not sharing the same password across multiple accounts could be instrumental in stopping this kind of breach. Cybercriminals will use a data breach of this size to create a healthy pipeline of future cybercrimes, beginning after the records have been sold on the dark web; This could be used to facilitate identity or banking fraud, as well as to send targeted phishing emails, leading to malware. To try and cover this up is totally unacceptable, and represents yet another example of both nation-states organizations not taking cybercrime-the key word being ‘crime’ – seriously.”
Marco Cova, Senior Security Eesearcher at Lastline:
“This attack, and the subsequent cover-up attempt by the Swedish transport authorities shows the importance of both protection from data breaches, and transparency in the event when they occur. Episodes like this show that data leaks may occur because of ‘simple’ screw-ups rather than because of attacks. Organizations should limit the amount of data they collect and store to the minimum required to carry out their mission; they should further identify the pieces of data that have different security or privacy levels, and ensure that they are shared, both internally and with authorized third-parties, on a strict need basis. The fact that these details have been carelessly shared puts the individuals concerned at particular risk of falling victim to further cybercrime, making the attempted cover-up particularly disturbing. Governments and the organizations of all kinds need to develop a more ethical response to data breaches, which does not include attempts to save their own skin and instead focuses on damage control for the victims.”
Javvad Malik, Security Advocate at AlienVault:
“The leak itself is indicative of poor security practises, with the entire database being emailed in clear text. It also highlights challenges in securing third party supply chains. Furthermore, the issue was compounded by an apparent lack of security controls that should have been in place to detect such a leak.
It also gives privacy advocates more reason to be concerned where governments are seeking to expand surveillance powers, as this breach shows, governments are incapable of keeping their biggest of secrets secure.”