By Steven McGinty
In July 2017, the Swedish Government faced a political crisis after admitting a huge data leak that affected almost all of its citizens.
The leak, which dates back to a 2015 outsourcing contract between the Swedish Transport Agency and IBM Sweden, occurred when IT contractors from Eastern Europe were allowed access to confidential data without proper security clearance. Media reports suggested that the exposed data included information about vehicles used by the armed forces and the police, as well as the identities of some security and military personnel.
The political fallout was huge for Sweden’s minority government. Infrastructure Minister Anna Johansson and Interior Minister Anders Ygeman both lost their positions, whilst the former head of the transport agency, Maria Ågren, was found to have been in breach of the country’s privacy and data protection laws when she waived the security clearance of foreign IT workers. In addition, the far-right Sweden Democrats were calling for an early election and Prime Minister Stefan Löfven faced a vote of no-confidence in parliament (although he easily survived).
However, it’s not just Sweden where data leaks have become political. Last year, the UK saw several high-profile incidents.
Government Digital Service (GDS)
The UK Government’s main data site incorrectly published the email addresses and “hashed passwords” of its users. There was no evidence that data had been misused, but the GDS recommended that users change their password as a precaution. And although users did not suffer any losses, it’s certainly embarrassing for the agency responsible for setting the UK’s digital agenda.
Official documents revealed that Scottish Government agencies experienced “four significant data security incidents” in 2016-17. Three out of four of these cases breached data protection legislation.
Disclosure Scotland, a body which often deals with highly sensitive information through its work vetting individuals’, was one organisation that suffered a data leak. This involved a member of staff sending a mass email, in which email addresses could be viewed by all the recipients (a breach of the Data Protection Act).
Murdo Fraser, MSP for the Scottish Conservatives, criticised the data breaches, warning:
“These mistakes are entirely the fault of the Scottish government and, worryingly, may signal security weaknesses that hackers may find enticing.”
In the summer of 2017, the UK parliament suffered a ‘brute force’ attack, resulting in 90 email accounts with weak passwords being hacked and part of the parliamentary email system being taken offline. A few months later, the Scottish Parliament experienced a similar sustained attack on parliamentary email accounts. MPs have suggested Russia or North Korea could be to be blame for both attacks.
MPs sharing passwords
In December 2017, the Information Commissioner warned MPs over sharing passwords. This came after a number of Conservative MPs admitted they shared passwords with staff. Conservative MP Nadine Dorries explained:
“My staff log onto my computer on my desk with my login every day. Including interns on exchange programmes.”
Their remarks were an attempt to defend the former First Secretary of State, Damian Green, over allegations he watched pornography in his parliamentary office.
The Swedish data leak shows the political consequences of failing to protect data. The UK’s data leaks have not led to the same level of political scrutiny, but it’s important that UK politicians stay vigilant and ensure data protection is a key priority. Failure to protect citizen data may not only have financial consequences for citizens, but could also erode confidence in public institutions and threaten national security.
The Knowledge Exchange provides information services to local authorities, public agencies, research consultancies and commercial organisations across the UK. Follow us on Twitter to see what developments in policy and practice are interesting our research team.