How To Get In Trouble When Outsourcing IT
The Swedish government has become embroiled in a scandal after an IT outsourcing deal went horribly wrong.
There was an old TV commercial that included the line “No one ever got fired for buying IBM”, implying that IBM was a safe bet. Not in this case.
The Swedish Transport Agency decided to outsource it’s IT operations to IBM, which in itself is not problematic. Unfortunately, apparently no one considered the security of what they were doing.
The data which IBM was now administrating included data about every VEHICLE and every DRIVER in the country, including those used by the police and the military. IBM administrators in the Czech Republic were given access to all data and logs and did not have to go through any pesky background checks.
In addition, after uploading the entire database to the cloud, the Swedish Transport Agency emailed the entire database in messages to marketers that subscribe to it. Included was every vehicle in the country including police and military registrations and people in the witness protection program.
And of course, as is normal for emails, it was all sent in the clear, unencrypted.
To compound the problem, when they discovered their error, they sent a new list by email, ASKING the recipients to delete the first email.
According to the head of privacy at VPN provider Private Internet Access, who blew the whistle, the incident “exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation.”
Among the data was the weight capacity of all roads and bridges in the country – useful for understanding how troops and tanks might be moved in war time; names, photos and home addresses of the military’s most secret units and a lot of other very sensitive information. You can read the article to see the rest of the list – not something you would want in your enemy’s hands.
The breach happened in 2015 and was discovered in 2016. The director general of the Transport Agency was fired this year and fined about $8,000.
Oh, yeah, it is not likely that the database will be secured again for several more months, meaning that people without a clearance still have access to this data and that fact is now VERY public.
Suffice it to say, for the tens of millions of Swedish citizens, police and military, there is a little bit of an upset.
There is, of course, a lesson to be learned and it is not DO NOT OUTSOURCE. First, that is not the problem and second, that is not going to happen.
The lesson is that the security requirements are no different if you outsource IT then if you do it yourself.
How many readers of this column use third party IT firms or outsource the data, unencrypted, in the cloud and THE CONTRACTS WITH THESE FIRMS DO NOT SPECIFY THE SECURITY REQUIREMENTS, SECURITY AUDIT PROCEDURES AND PENALTIES FOR FAILING TO COMPLY?
I suggest that everyone reading this should review their outsourcing agreements in light of this screw-up and see whether they are in the same boat.
Remember, if you handle HIPAA protected information, sensitive non-public financial information or other sensitive or export-controlled information, the law does not care if you choose to outsource your IT because it is more convenient or cost effective. The rules for protecting it are exactly the same, whether IT is internally managed or outsourced.
Information for this post came from The Hacker News.