Sweden is now battling a catastrophic data breach that has seen millions of bytes of sensitive data exposed to the public and left the country’s security at risk.
According to reports, the data leakage was due to the mishandled outsourcing deal that the Swedish Transport Agency (Transportstyrelsen) got into with IBM. Apparently, the mishap led to the leakage of personal information and confidential government data.Mountains of personal data #leaked by #Swedish government.Click To Tweet
The data breach purportedly exposed the names, photos, and home addresses of millions of Swedish citizens.
Not only that, but it also includes data of Swedish air force fighter pilots, all members of the government’s secret military units, crime suspects, people under the witness relocation program. If you thought that was bad, even the weight capacity of all roads and bridges in Sweden was leaked.
How the Swedish Data Breach Happened
In May 2015, the Swedish Transport Agency, under its then Director General Maria Ågren, awarded IBM a contract to manage its database and network.
It was said that IBM was given the signal to upload all available information from the agency’s database to the ‘cloud.’ However, IBM outsourced subcontractors from Eastern Europe, including the Czech Republic and Serbia, to do the task.
IBM authorized and has given the subcontractors access to the full dataset without seeking security clearance from the Swedish government or the agency. Further reports suggest that the subcontractors were able to view sensitive information such as names, photos, and addresses of Swedish citizens and some military personnel coming from emails sent by the Swedish Transport Agency itself.
It appears that instead of providing a redacted version of the database to IBM, the Swedish Transport Agency provided the database in clear text emails to the companies involved, asking them to delete all sensitive information they held manually.
“There’s an enormous amount of data in Swedish about the overall leak scandal, but among all that data, one piece bears mentioning just to highlight the generally sloppy, negligent, and indeed criminal, attitude toward sensitive information,” Rick Falkvinge, Head of Privacy at Private Internet Access and the founder of the first Pirate Party who brought the issue to the attention of international press, was quoted as saying.
According to reports, the breach took place in September 2015 when the unrestricted information was made available to people with no security clearance. However, only in March last year that the Swedish Secret Service realized what happened and started its investigation.
STA Director Resigned: Fine Worth Only $8,500 USD
Following the mishap, authorities charged STA director general Maria Ågren in 2016 and early this year she was forced to resign.
The Swedish courts found her guilty of negligence, but her sentence was seen as ludicrous by the public, with the court only fining her half of her monthly salary. Falkvinge said:
“Given how much the establishment has got each other’s backs, this sentence was roughly equivalent to life in prison for a common person on the street, meaning they must have done something really awful to get not just a guilty verdict, but actually be fined half a month’s salary.”
Right now, the Swedish government is still in the process of investigating the extent of the breach if IBM or NCR employees were granted access to the European Union’s secure STESTA intranet or the Swedish Government Secure Intranet (SGSI)