Criticism is mounting over IT security at Swedish government agencies after it emerged that millions of Swedes’ personal data may have been leaked to other countries.
Swedish media is reporting a massive data breach in the Swedish Transport Agency (Transportstyrelsen) after the agency mishandled an outsourcing deal with IBM, which led to a leak of private data about every vehicle in the country, including those used by both police and military, reported The Local.
Sweden’s security police Säpo has investigated Transportstyrelsen after information was made available to IT workers in Eastern Europe who had not gone through the usual security clearance checks when the agency outsourced its IT maintenance to IBM in 2015.
The data breach exposed the names, photos and home addresses of millions of Swedish citizens, including fighter pilots of the Swedish air force, members of the military’s most secretive units, police suspects, people under the witness relocation program, the weight capacity of all roads and bridges, and much more, according to Hacker News.
The incident is believed to be one of the worst government information security disasters in world history.
The scandal hit the headlines in Sweden when it emerged that former director-general Maria Ågren – who was fired for undisclosed reasons in January 2017 – had been fined 70,000 kronor after the probe found her guilty of being “careless with secret information”.
In 2015, the Swedish Transport Agency handed IBM an IT maintenance contract to manage its databases and networks.
However, the Swedish Transport Agency uploaded IBM’s entire database onto cloud servers, which covered details on every vehicle in the country, including police and military registrations, and individuals on witness protection programs.
The transport agency then emailed the entire database in messages to marketers that subscribe to it, in clear, unencrypted text.
When the error was discovered, the transport agency merely thought of sending a new list in another email, asking the subscribers to delete the old list themselves.
The scandal does not end there. The outsourcing deal gave IBM staff outside Sweden access to the Swedish transport agency’s systems without undergoing proper security clearance checks.
IBM administrators in the Czech Republic were also given full access to all data and logs, according to Swedish newspaper Dagens Nyheter, which analysed the Säpo investigation documents.
One Transport Agency staff member described the outsourcing without proper security checks as handing over “the keys to the Kingdom” in an interview with Säpo, reports Dagens Nyheter.
“The fact that a security check has not been made is serious. That means you have not tested the people’s loyalty and don’t know if you can trust them from the Swedish side.
In the case of Serbia there’s a fairly close relationship between the Serbian and Russian intelligence services. In the worst case, foreign intelligence services have been given an access route into the computer systems,” security expert Johan Wiktorin told Dagens Nyheter.
“I think it is serious that security protection is not taken seriously at so many government agencies, including the Transport Agency in this case,” prosecutor Ewamari Häggkvist told Swedish public radio.
“It is not forbidden in Sweden to place data services in other countries, even if you’re an authority that holds secret information. But what it’s about is that people need security clearance to handle such data, and that’s where they failed.”
The maintenance of the Transport Agency’s vehicle and licence register was outsourced to IBM in April 2015 in order to save money.
But the transfer took place under time pressure, because the Swedish Transport Administration (Trafikverket) which previously ran the register had already started letting staff go, and Ågren said she saw no other option than to bypass the usual security rules.
The question of whether or not Sweden’s national security was harmed is censored in the Säpo report.
Swedish authorities’ IT security has come under fire several times in the past year. Last year the National Audit Office (Riksrevisionen) scrutinized nine state-controlled agencies and found that it was not “a sufficiently high priority (…) in relation to the risks that exist”.
Last month the centre-left government presented a new national strategy for information and cyber security.
“If you have information critical to society it is not a good idea to store it somewhere where you can’t control it. The risk of using foreign cloud services is that you can’t control who could be able to access the information.
If we’re talking about an attacker who is a high-capacity foreign state that type of outsourcing carries obvious risks,” Interior Minister Anders Ygeman was quoted by the TT newswire as saying at the time.
According to Pirate Party founder and now head of privacy at VPN provider Private Internet Access Rick Falkvinge, who reported on details of the scandal, the incident “exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation.”
According to Falkvinge, the leak exposed:
The weight capacity of all roads as well as bridges (which is crucial for warfare, and indicates which roads are intended to be used as wartime airfields);
Names, photos, and home addresses of fighter pilots in the Air Force;
Names, photos, and home addresses of everybody in a police register, which were believed to be classified;
Names, photos, and residential addresses of all operators in the military’s most secret units that are equivalent to the SAS or SEAL teams;
Names, photos, and addresses of everybody in a witness relocation program, who have been given protected identities for security reasons;
Type, model, weight, and any defects in all government and military vehicles, including their operators, reveals much about the structure of military support units.
Although the data breach occurred in 2015, Swedish Secret Service discovered it in 2016 and started investigating the incident which led to the firing of STA director-general Maria Ågren in January 2017.
Ågren was also fined half a month’s pay (70,000 Swedish krona which equals to $8,500) after finding her guilty of being “careless with secret information,” according to the publication.
The leaked database may not be secured until the fall, said the agency’s new director-general Jonas Bjelfvenstam. The investigation into the scope of the leak is still ongoing.