An investigation conducted by the Swedish’s security police Swedish Security Service on an IT deal that the Swedish Transport Agency made in 2015 has revealed that all vehicles in the country (including those of the police and military and individuals on witness protection programs) were made available to IT workers in Eastern Europe without security clearance checks.
According to sources, the former director general of the agency, Maria Ågren, reportedly rushed through the contract as she was under a lot of pressure from her bosses.
And against the advice of her then-security adviser, she skipped guidelines that were designed to protect access to such data.
In 2015, the Swedish Transport Agency contracted IBM to manage its databases and networks.
The IBM administrators in the Czech Republic were also given full access to all data and logs.
Normally in such situation, the database containing information deemed sensitive is removed from the dataset.
But what this team they managed to do was to send out the whole list including people with protected identities and of every vehicle in the country, including police and military registration.
When the error was discovered, a new list was sent out on March 10, 2016, via an unprotected email with a file of entries to remove which helpfully pointed out which users on the list were deemed “sensitive,” i.e. part of a witness protection program and also asked the companies to remove the data themselves instead of handling this themselves.
Another set of contractors in Serbia was managing the firewalls and communications and probably was able to monitor what information is being shared between the Transport Agency and 24 other Swedish government agencies, according to Dagens Nyheter who saw the Säpo investigation documents.
Micael Byden, Sweden’s supreme commander, said there was a risk that information about some military vehicles and people with protected identities had leaked. The armed forces had earlier said the transport agency — which regulates everything from civil aviation to driving licences — could have information about personnel and security planning as well.
According to Pirate Party founder and now head of privacy at VPN provider Private Internet Access Rick Falkvinge, who brought details of this scandal, the incident “exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation” which include:
- the weight capacity of all roads as well as bridges (which is crucial for warfare, and gives a lot idea about what roads are intended to be used as wartime airfields).
- names, photos, and home addresses of fighter pilots in the air force.
- names, photos, and home addresses of everybody in a police register, which are believed to be classified.
- names, photos, and residential addresses of all operators in the military’s most secret units that are equivalent to the sas or seal teams.
- names, photos, and addresses of everybody in a witness relocation program, who has been given protected identity for some reasons.
- type, model, weight, and any defects in all government and military vehicles, including their operator, which reveals a much about the structure of military support units.
While the data breach happened in 2015, Swedish Secret Service discovered it in 2016 and started investigating the incident which finally led to the firing of STA director-general Maria Ågren in January 2017.
Ågren was also fined half a month’s pay (70,000 Swedish krona which equals to $8,500) after finding her guilty of being “careless with secret information,” according to the publication.
The country’s prime minister Stefan Löfven described the incident as “extremely serious” and blamed the botched outsourcing agreement on the country’s transport agency for such a large breach of government secrets.
“What happened in the transport agency is a disaster. It is extremely serious. It has exposed both Sweden and Swedish citizens to risks,” Mr Lofven said on Monday in a press conference with the head of Sweden’s security services and the supreme commander of the armed forces.
Lofven who admitted he had known of the scandal said Anna Johansson, minister of infrastructure and responsible for the Transport Agency had not passed information on to him.
Johansson on Sunday in turn blamed one of her former state secretaries for not informing her about the scandal.
“I wish I had been informed earlier,” Lofven said while adding he had no plans to fire any ministers. “I have full confidence in them (ministers) until I say otherwise.”
The scandal could threaten the jobs of several ministers in the centre-left coalition and the government itself. Opposition parties have said they could ask for a no-confidence motion to be debated in parliament.
Jimmie Akesson, leader of the Sweden Democrats, the third-biggest party in parliament said that “the government has known about the leaks for nearly two years. We demand they take responsibility”.
And Anna Kinberg Batra, leader of the main opposition party, the Moderates, said before the press conference: “[The government’s performance] impresses few and provokes even more.”