What enterprises can learn from national data breaches

Data breaches are rarely out of the news. Often they are due to hackers, such as the HBO leak and, well, insert a link here to any story about your preferred celebrity du jour having his/her naked photos stolen and proffered on the open market. There are so many that it’s hard to choose.

But sometimes hacking isn’t the issue. Often it’s plain old-fashioned negligence or stupidity. That’s especially the case when it comes to data loss by government agencies. What’s intriguing about these stories, though, is how the public then reacts.

For example, UK citizens appear to have become inured to the routine loss of their private data by government departments. It began in the 1990s with USB sticks, laptops and CDs full of personal data being left on trains, on the roofs of cars that then drove away, or mailed to the wrong address; all unencrypted, of course. The full list—or at least the full known list—is here.

As you can imagine, the British people were up in arms about each and every one of these breaches, marching on the streets to demand the resignation of the government and … no, wait. That didn’t happen. Brits by and large seem unfazed by this type of arguably criminal and certainly woefully negligent behaviour by government IT workers and contractors. That’s particularly puzzling given that the data was often demanded without consultation in the first place. “Give us your private data so we can keep it safe. Oops!”

The UK is not alone in this. Governments around the world routinely lose or compromise data entrusted to them by citizens. An entire industry—Data Loss Prevention—has sprung up around this. Private organisations also lose data, of course, but unlike governments they have a financial and legal imperative to at least try not to do so. In government, where the sternest repercussions are likely to be “Lessons have been learned”, in reality lessons are unlikely to ever be learned.

All of which makes Sweden an interesting case. In July this year it came to light that the government’s Transport Agency had inadvertently made vast swathes of personal data available online during a move to the cloud. This included the contents of numerous top-secret databases, potentially putting at risk the lives of thousands of military personnel, people in witness protection programmes, everyone in police registers, and many more.

Before this news reached the public ears, the director general of the Transport Agency, Maria Ågren, was removed from her post and fined half a month’s pay. Subsequent steps to try to recover from the breach were inadequate, ill-advised and effectively made the situation worse.

Perhaps surprisingly, the Swedish public noticed this chain of events and were furious. Demonstrations did happen and there were calls for the government to resign en masse. At the time of writing that hasn’t happened, but this is an issue that’s not going away any time soon. Investigations into the sequence of events are likely to show that Ågren was not the only one at fault.

Why does this matter for IT enterprises? Because there’s potential for guilt by association. IBM was the vendor for the Swedish cloud migration and there’s no indication that the company has done anything wrong. But headlines such as “Sweden Tries to Stem Fallout of Security Breach in IBM Contract” will make for uncomfortable reading at Big Blue.

So IT enterprises thinking of bidding for government contracts should be careful. It’s not enough to provide the services requested. You must also educate your government contacts so that they understand their responsibilities. Otherwise you may find yourself tarred with the same brush, however unfairly.

Alternatively, IT businesses could concentrate on bidding in the UK, where the public’s attitude has been more lax. But even that may now be changing. A story first broken by New Scientist, about Google/Alphabet subsidiary Deep Mind accessing private NHS data, has garnered a surprising amount of coverage and concern. The information commissioner effectively said it was illegal. The public has noticed.

This might be a flash in the pan, of course. But it might instead be a turning point, when citizens around the world become increasingly aware of the value of their data and, more importantly, the true cost when it is breached, lost, or made available to people who have no right to access it.

Time will tell, but there are other hints that the wind may be changing in favour of privacy and away from bulk data collection and retention by governments. India’s highest court ruled in August that privacy is a fundamental right, throwing a spanner into the works of the government’s plans for a national ID card scheme. Perhaps this is completely unrelated to the Sweden story, but it’s hard to believe that the judge wasn’t at least aware of it.

Government data loss has been happening so often it’s almost become a compound noun in the public consciousness. But group minds are fickle, and if change is afoot then IT enterprises will need to ensure they’re on the right side of the debate and the law.