Millions of Swedes had their personal details exposed after the country’s transport agency outsourced unencrypted data to IBM, which moved it to a cloud server. The leak, which affected every citizen with a driver’s license, was called a “disaster” by Sweden’s PM.
The Swedish government is reeling from a massive scandal, which dates back to a botched decision-making chain that began in 2015, and involves apparently improper handling of sensitive data by officials.
A faulty IT outsourcing agreement with IBM Sweden was to blame for the “extremely serious” leak, Prime Minister Stefan Lofven said. However there is no suggestion that IBM was in the wrong.
First, the IBM was given the all-clear to move the vast database of the country’s transport agency to a cloud server abroad, which was meant to save costs. The unencrypted data was fully accessible by system administrators in the Czech Republic, while IT specialists working in Serbia managed firewalls and communications, The Local reports.
Various Swedish media have obtained details of the data transfer from a secretive report by Sweden’s security police, which did not disclose whether or not the personal details were compromised.
Reports indicate that the data included crucial information on the Swedish transport and infrastructure, including all military vehicles. Names, photos and addresses of members of police, military, special forces and Air Force jet pilots are said to have been included and potentially exposed. Worse still, people under witness protection program ended up listed in the database as well.
"What has happened is a complete failure. It is very serious. It was in breach of the law and exposed Sweden and Swedish citizens to harm," PM Lofven said in a press conference on Monday.
READ MORE: Ransomware virus plagues 100k computers across 99 countries
A former director of the transport agency, Maria Agren, who left her role in January when the breach first came to Lofven’s attention, was so far only fined 70,000 Swedish krona ($8,500) last month for being “careless with secret information.”
A statement from the agency said Agren “decided to abstain” from the National Security Act, the Personal Data Act and the Publicity and Privacy Act when dealing with IBM.
IBM administrators in the Czech Republic were given full access to the information, Dagens Nyheter (DN) reported, adding that a staff member of the transport agency described the leak as handing over “the keys to the kingdom.”
While it remains unclear if the data has actually been accessed by foreign actors or compromised, the fix is expected no earlier than this fall, according to the transport agency’s new director, Jonas Bjelfvenstam.
Ironically, the Swedish Security Service for the past two years ranked Russia as posing the top intelligence risk to Sweden. The agency’s report from March 2016 alleged that Moscow was compromising Sweden’s security through a network of about a dozen spies, operating in the country under protection of diplomatic immunity. In addition to this, the security service claimed Russia deployed “psychological warfare” against Swedish politicians and the public in the form of “misinformation campaigns” and “information operations.”
While the Russia spying claims were widely discussed by Swedish politicians and covered in the media, this particular high-profile security scandal was initially hushed up and only emerged after Agren’s court sentence became public in July. In a series of blog posts in English, Swedish Pirate Party founder, Rick Falkvinge, who is now the head of privacy at VPN service provider Private Internet Access group, has claimed that the government is trying to downplay the disastrous negligence leading to the leak.
“If a common mortal had leaked this data through this kind of negligence, the penalty would be life in prison. But not when done by the government themselves. Half a month’s pay was the harshest conceivable sentence,” Falkvinge writes, adding that “any governmental assurances to keep your data safe have as much value as a truckload of dead rats in a tampon factory.”