Swedentransport Agency Data Leak

CERT-LatestNews Security News ThreatsCybercrime Uncategorized

Following the news about Swedentransport agency data leak, Ken Spinner, VP of Global Field Engineering commented below.

 Ken Spinner, VP of Global Field Engineering at Varonis:

“IT outsourcing and lax data security practice strike again: this time in Sweden, compromising government documents, sensitive personally identifiable information on citizen and military data, criminal records – even details on confidential witness protection programs.
We see this time and time again, and what have we learned?  Nobody can be exempt from data privacy laws and security policies that are put in place to protect citizen information.

Exposing this type of data – and this much of it – is a huge red flag: not only can critical data and research be compromised, but personal data can be leveraged to breach more secure systems.  Not to mention the potential fallout from witness protection information being publicly available, details on secret military units, and other data that can be damaging to a government and its citizens.

The best way to reduce the risk of deliberate or accidental data exposure is to limit access to those who need it the most – keeping sensitive data locked down – and to monitor data access so that when something suspicious happens, you can catch it before it turns into global headlines.

It’s often the act of cutting corners on data privacy policy enforcement, simple mistakes, or generally bad security habits that end up causing breaches – rather than a nefarious attack.  Limiting data access and taking a privacy-by-design approach goes a long way in proactively protecting critical data.  Perhaps most importantly, government agencies – and any organisation that processes and stores sensitive data – need to establish and uphold strong cybersecurity and data protection practices: not only for internal use, but for all third party contractors as well.

By strengthening data protection practices — adopting a least privilege approach and monitoring user behaviour — organisations (and indeed, governments) will not only bolster their cybersecurity defenses, but they’ll be more protected against data leaks, insider threats and sophisticated cyberattacks as well.”