Sweden Grapples with Sensitive Data Leak ScandalDriver's License Data and Possibly More Was Accessible to Foreign Contractors
Sweden is grappling with the fallout from a sensitive data breach that occurred two years ago and the scope of which has only recently trickled out. It resulted in the prosecution of the former head of the Transport Agency and deep questions over an outsourcing arrangement with IBM.
See Also: DevOps - Security's Big Opportunity
Prime Minister Stefan Löfven is expected to address the issue for the first time on Monday after a shake -up of senior-level management in Transport Styrelsen, or Transport Agency, and its board.
There are differing accounts of what was exposed. But it indisputably included the country's driver's license database, including photos, and information on whether an individual was in a witness relocation program.
The Transport Agency sought in a news release Sunday to tamp down concerns. But it has acknowledged that the agency's director general took security shortcuts when overseeing a revamp of its IT infrastructure that allowed foreign contractors who did not have proper security clearances to view data.
The drip-fed details - including the light fine for the former Director General of the Transport Agency, Maria Ågren, for violating privacy laws and information handling regulations - have been met with harsh criticism. And there are lingering questions on how the exposure could affect Swedes.
"All of this was not just outside the proper agencies, but outside the European Union, in the hands of people who had absolutely no security clearance," writes Rick Falkvinge, a well-known privacy activist and founder of the Pirate Party. "All of this data can be expected to have been permanently exposed."
Where it Began
The Transport Agency signed an agreement with IBM in April 2015 to run its information systems. Sometime after that agreement, Ågren "decided to abstain" from three privacy and data protection laws as well as internal information security guidance, the agency says in a FAQ published Sunday.
According to a report in The Local, IBM used subcontractors in the Czech Republic, Romania and Serbia, which then had access to the data, but did not hold proper security clearances.
IBM officials were not immmediately available for comment. The Transport Agency says it doesn't have any indication that the personal data was exposed beyond the contractors. But that's probably little consolation for someone in a witness protection program.
To that end, the agency addressed those people directly. It says that the contract it has with IBM mandates that Big Blue comply with the provisions of the country's Personal Data Act and that the information is not supposed to be shared with unauthorized parties.
"We have no indications indicating that data was disseminated improperly, so we do not see any direct cause for concern," the agency says.
The staff used by IBM and its subcontractors are "security-controlled by their own organization and have also signed a confidentiality agreement," but that regimen is not equivalent to the checks required in Sweden for access to such data, it says.
The exposure was apparently caught not long after the outsourcing arrangement began, and the Swedish Security Services began an 18-month review of the Transport Agency, which ended in June.
According to news reports, the exposure went far beyond just driver's license records and included personal details for Swedish Air Force pilots, people listed in police registers, personal details for military members in secret units, and details of government military vehicles and data on Swedish infrastructure, such as bridges.
In its FAQ, the Transport Agency maintained that most of its data is public, but that it could not outline the more sensitive data it holds. It says it does not hold data on military vehicles or have information on pilots, airports or aircraft or shipping-related data.
Director General Prosecuted
The violation of protocol was enough that in January 2016, prosecutors began investigating based on a report from the Swedish Security Service.
On Jan. 19, Ågren resigned. At the time, it was unclear why. On June 26, she was fined 70,000 kronor - about $8,500 U.S. - for negligence without intent. Given the depth of the exposure, Falkvinge says that's not enough. "Let's be clear: if a common mortal had leaked this data through this kind of negligence, the penalty would be life in prison," he writes. "But not when done by the government themselves. Half a month's pay was the harshest conceivable sentence."
Sweden is still dealing with the cleanup. Although the first indications of something awry appeared two years ago, the cleanup work is not done. The Transport Agency says that between May and July 2016, authorized personnel within Sweden took over network, server and storage administration.
But it is still working to ensure that the administration of "application operations" will run in the same way. That work, which the agency describes as "technically complicated and comprehensive," is expected to be completed later this year.
"We have ongoing work with our operating supplier for the purpose of controlling operations where only Swedish security-approved personnel will be responsible for the entire operation," the agency says. "At the moment, work is under way to speed up the process with our operating supplier."
IBM's contract with the Transport Agency runs through October 2020.