Sweden's national security at risk after huge leak of confidential data: Why it's a wake-up call for India

Sweden's Prime Minister Stefan Lofven found himself in an awkward situation on Monday when he had to admit that his government was responsible for a huge leak of sensitive information potentially putting both the national security and the country's citizens at risk.

Lofven said during a press conference that the massive leak occurred after the Swedish Transport Agency messed up with an outsourcing deal with IBM Sweden in 2015. Lofven also said that he had not been informed earlier about the IT security slip-up which is feared to have exposed confidential details about vehicles used by the Swedish armed forces and police and it might land in wrong hands.

"What happened in the transport agency is a disaster. It is extremely serious. It has exposed both Sweden and Swedish citizens to risks," Lofven said, adding that an investigation into what had happened was underway and that tougher laws for handling of sensitive information would soon be implemented.

It's indeed a disaster

In addition to the vehicle details, the leaked information also reportedly included names and home addresses of millions of Swedish citizens including fighter pilots and members of the military's most secretive units. According to Swedish media, the leak also exposed databases containing criminal records and information about police suspects.

The transport agency itself said that in order to speed up the contract process Maria Agren, a former director-general of the agency, avoided several laws relating to security, personal data and privacy. Agren, who was fired in January for undisclosed reasons, was last month fined about $8,500 over the sloppy handling of secret information.

Although the Swedish armed forces and the police said that the situation was manageable, the scandal has raised serious questions about how it occurred, and the way it has been handled within the government. Lofven said that he had been aware of the issue since January while the interior and defence ministers knew about it 18 months ago.

Swedish disaster is a wake-up call for India

Over the last few years, India has experienced several serious data breaches.

In May 2016, cyber security firm Symantec revealed in a report that Suckfly, an advanced cyber espionage group, conducted long term espionage campaigns against high profile targets, including the central government, a large financial institution, a vendor to the largest stock exchange and an e-commerce company. Symantec said that it had identified a number of attacks over a two-year period, beginning in April 2014.

In October 2016, a large scale malware attack compromised data of nearly 32 lakh debit cards of various banks in India in what was seen as the biggest data breach ever experienced by the country's financial sector. India was also said to be one of the worst-hit nations during the WannaCry ransomware attack that crippled computer systems across the globe in May while the NotPetya cyber attack in June hit one of the three terminals of the Jawaharlal Nehru Port Trust, the country's largest container port, in Mumbai.

The most recent Reliance Jio database breach created an even bigger chaos by reportedly compromising the personal data of over 100 million customers. The alleged hacking put the 12-digit Unique Identification Authority of India (UIDAI) provided number, commonly known as the "Aadhaar" number, at risk as many users had registered for Reliance Jio services by using that number.

The "Aadhaar" number, which stores the biometric data of users in a centralised database, has also been made mandatory by the Indian government for various services ranging from opening a bank account to filing tax returns.

Jio didn't clarify because it didn't have to

Although Reliance Jio denied the data leak and said that its subscriber data was safe, it later made a confounding move by filing a complaint, claiming unlawful access to its computer systems.

According to security experts, companies in India are not bound to disclose data breaches to clients, raising questions of security and accountability.

"A rule to report breaches exists, but it is unenforceable," Pranesh Prakash, policy director at the Centre for Internet and Society (CIS), a research organisation, told Reuters. "It says you're not liable if you're following reasonable security practices. What 'reasonable' means is not defined."

India is gradually advancing towards a digital economy. More importantly, the newly implemented Goods and Services Tax (GST) system is completely digitised and is required to throw up billions of invoices per month. Considering that most cyber attacks are motivated by financial crime, it is high time for the government to give thought to effective protection of digital transactions.