What enterprises can learn from national data breaches

Sweden is the latest country whose data security has been shown to be woefully inadequate. What lessons can be learned?

Data breaches are rarely out of the news. Often they are due to hackers, such as the HBO leak and, well, insert a link here to any story about your preferred celebrity du jour having his/her naked photos stolen and proffered on the open market. There are so many that it's hard to choose.

But sometimes hacking isn't the issue. Often it's plain old-fashioned negligence or stupidity. That's especially the case when it comes to data loss by government agencies. What's intriguing about these stories, though, is how the public then reacts.

For example, UK citizens appear to have become inured to the routine loss of their private data by government departments. It began in the 1990s with USB sticks, laptops and CDs full of personal data being left on trains, on the roofs of cars that then drove away, or mailed to the wrong address; all unencrypted, of course. The full list – or at least the full known list – is here.

As you can imagine, the British people were up in arms about each and every one of these breaches, marching on the streets to demand the resignation of the government and… no, wait. That didn't happen. Brits by and large seem unfazed by this type of arguably criminal and certainly woefully negligent behaviour by government IT workers and contractors. That's particularly puzzling given that the data was often demanded without consultation in the first place. “Give us your private data so we can keep it safe. Oops!”

The UK is not alone in this. Governments around the world routinely lose or compromise data entrusted to them by citizens. An entire industry – Data Loss Prevention – has sprung up around this. Private organisations also lose data, of course, but unlike governments they have a financial and legal imperative to at least try not to do so. In government, where the sternest repercussions are likely to be “Lessons have been learned”, in reality lessons are unlikely to ever be learned.

All of which makes Sweden an interesting case. In July this year it came to light that the government's Transport Agency had inadvertently made vast swathes of personal data available online during a move to the cloud. This included the contents of numerous top-secret databases, potentially putting at risk the lives of thousands of military personnel, people in witness protection programmes, everyone in police registers, and many more.

Before this news reached the public ears, the Director General of the Transport Agency, Maria

Aring

gren, was removed from her post and fined half a month's pay. Subsequent steps to try to recover from the breach were inadequate, ill-advised and effectively made the situation worse.

To continue reading this article register now