The government of Sweden is in crisis following a massive data leak that may have affected nearly every citizen in the country. Although details continue to emerge, what is clear is that a government has accidentally violated the privacy of its own people by failing to adhere to basic security practices. This incident is yet another example of how properly securing information stored in the cloud with end-to-end encryption is the only way to reliably preserve its integrity and confidentiality. PreVeil’s unique platform makes doing so seamless, which is why it should be the tool of choice for protecting sensitive data sets.
Sweden’s troubles began in September 2015, when the Swedish Transport Agency (STA) began outsourcing its information technology service management to providers such as NCR in Serbia and IBM in the Czech Republic. The STA then eventually uploaded a massive database of sensitive information – including details on every vehicle in the country, the identities of police and military personnel, and information regarding individuals in witness protection programs – to the cloud servers of these providers. At this point, however, if the data were properly end-to-end encrypted, Swedish citizens could still feel confident that it was secure, even if stored in other countries. Unfortunately, this was not the case.
Due to insufficient access controls and the lack of proper encryption, IBM employees who had not undergone vetting were able to view the entire database. As is the case with many enterprise systems, huge numbers of administrators often have “super user” privileges that give them sweeping access to organizational data, which appears to have happened in this incident. Even worse, the STA mistakenly emailed the same sensitive database – in completely unencrypted form – to a variety of marketing companies. Upon realizing their error, they simply asked the marketers to delete the information and re-sent another email without it.
These two aspects of the leak highlight several important features of PreVeil that could have easily prevented this ongoing crisis. First, and potentially most importantly, PreVeil encrypts all customer data end-to-end and only you control the keys to access it. Under no circumstances can we ever view your information, unlike the IBM employees who had unfettered access to the STA database. Second, lone systems administrators are not able to access your entire organization’s data by themselves when using PreVeil; they can only do so when a predetermined number of key personnel collectively authorize access. PreVeil’s unique Approval Groups™ enforce this feature by cryptographically distributing permission to conduct privileged actions, greatly reducing the damage a rogue or careless insider can inflict. Finally, PreVeil Drive’s granular permissions can help to prevent the sharing of sensitive data outside your organization, eliminating the possibility of errant emails leading to a spillage of critical information.
At present, the Swedish government is facing a political storm due to fallout from the recent revelation of this massive leak. Two of the country’s top ministers have resigned, and the prime minister himself is facing possible removal via a vote of no confidence. The catastrophic political consequences of this series of errors should serve as a warning to senior leaders in both the public and private sectors. Securing the data of your citizens or your clients is not simply a luxury, it is critical to your professional survival. With its elegant design and thoroughly vetted encryption protocols, PreVeil can help you do just that.