Like Humpty Dumpty’s fall from the wall, a major data breach can crack a government

GRC | 2 Min Read |08 August 17|by BLOG ADMIN


When governments suffer data leaks, the traditional fallout of breaches are combined with political scandal – the impact is multiplied and scrutiny magnified. Questions are asked around why information was withheld or, if announced soon after discovery, why it took so long to uncover.

Just as a business suffers reputation damage after a breach, the Swedish Government faces a real struggle to regain citizens’ confidence.  So far two government ministers have been sacked, and the investigation into the handling of sensitive government data on its citizens and national security is expanding.  If at all possible, rebuilding trust will involve the removal of some high-profile ministers, and Anders Ygeman, the country’s home affairs minister, and Anna Johansson, the infrastructure minister, were the first to hand in their resignations.

This and other recent third party breaches challenge the assumption that data is safer with service providers. Organizations often outsource IT functions as expert companies are seen to have better infrastructure and cybersecurity features. They have economies of scale as well as the economic incentive of ensuring that data remains secure – they lose business if it doesn’t. Yet, what appears to be lost on some organizations is that when you outsource or put data in the cloud, you remain the data controller – the accountability for security and privacy remains with you.

When outsourcing is the most viable option, governments tend to transfer some of the risk onto third parties through contracts, setting specific clauses that ensure data is being held and used in ways relative to its sensitivity. These usually involve requirements around data access as well as the ‘right to audit’, however, some of these vital clauses were left out of the contract with IBM in order to speed up the process. This corner cutting resulted in the sensitive information being readily available to non-vetted IT workers outside of Sweden – and this was not just PII, but also highly sensitive national security information. As such, when entering into partnerships that involve sensitive or confidential data, organizations must scrutinize contracts. Companies can no longer plead ignorance to their third party’s actions – GDPR’s shared responsibility approach will enforce this further – so they must ensure that all bases are covered from the offset.

Furthermore, in addition to the exposure of data to IBM contractors outside of Sweden, the Swedish Transport Agency was very careless in how it shared information on Swedish citizens with marketers who subscribe to its databases. These breaches were not due to some sophisticated hacking attack or social engineering scam.  It is just hard to believe that these types of massive breaches continue to happen due to negligence and carelessness, but they do.


Leave a Comment

The content of this field is kept private and will not be shown publicly.
14 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.


Posted Article: 113

Read More

Top Posts

The Next-Gen CISO - Building Cyber Resilience with Cyber GRC

IT Risk & Cyber Risk | | 5 Min Read

AWS Security Lake and OCSF: A Cyber Risk Perspective

IT Risk & Cyber Risk | | 4 Min Read

10 GRC Trends to Watch Out for in 2023

GRC | | 1 Min Read

Experience the Power of Connection

GRC | | 3 Min Read

Insurance Industry. Strengthen Cyber Resilience Now!

IT Risk & Cyber Risk | | 3 Min Read


Ready to get started?

Speak to our experts Let’s talk