Corporatisation of critical information infrastructure (CII) is rooted in the ‘privatisation wave’ of the 1980s-90s, when ground was laid for outsourcing public utilities. Despite well-known risks relating to reliability, resilience, and accountability, commitment to efficiency imperatives have driven governments to outsource key public services and infrastructures. A recent illustrative case with enormous implications is the 2017 Swedish ICT scandal, where outsourcing of CII caused major security breaches. With the transfer of the Swedish Transport Agency’s ICT system to IBM and subcontractors, classified data and protected identities were made accessible to non-vetted foreign private employees – the sensitive data could thus now be anywhere. This case clearly demonstrates accountability gaps that can arise in public-private governance of CII.