In what’s amounting to a pretty significant slip-up, Swedish Transportation Authority appears to have provided quite a bit of sensitive information to a group in the Czech Republic. What is really surprising to me is that they are outsourcing so much of their potentially sensitive data offshore.
While I understand the attractiveness of outsourcing some IT functions, when your data is this significant and personal, steps must be to be taken to better secure it. Coming from a Department of Defense background, there were certain things that we would never allow non-citizens or offshore third-party entities to see. In this case, all of the vehicle information, including that of military and police, were provided to groups in the Czech Republic without a reasonable screening process.
More surprising than that, is the fact that their firewalls and much of their communications is being managed from Serbia. Really? There are times when the transfer of risk or management of Information Technology functions make sense. We see this all the time in a smaller scale with respect to cloud computing, but again there are times where saving a few dollars is not worth the risk of exposing the data.
Can you imagine if here in the US, the Transportation Authority, or even State MVDs outsourced the data processing and storage to an outside country like say, North Korea? This is pretty much like what’s Sweden is doing when Outsourcing firewalls and such to Serbia and having the Czech Republic deal with their Transportation Authority data. Perhaps tensions aren’t quite as high between those countries as the US and North Korea, but my understanding is they aren’t exactly in lockstep either.
Think about this when you’re looking at cloud providers. Understand where the data is going, who is processing it and the nature of the data and sensitivity as well. Require background checks for people who are handling sensitive information. Don’t be that guy or gal that makes the news like this.
Erich Kron is the Security Awareness Advocate at KnowBe4, and has over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the US Army 2nd Regional Cyber Center-Western Hemisphere.