Swedish Agency Exposes Military Secrets; Fines the Guilty Half a Month’s Salary
The transport agency of Sweden has exposed the personal data of millions of its citizens in what is now being called one of the worst government IT disasters.
The story goes back to 2015 when IBM received an IT maintenance contract from the Swedish Transport Agency, Transportstyrelsen. Apparently, IBM administrators in the Czech Republic were given full access to all data and logs by the Swedish agency without any security clearance. Local news agencies are calling this security catastrophe of outsourcing without prior security checks as handing over "the keys to the Kingdom."
The Scandinavian government is stuck in a scandal that it tried to hush up before it blew out of proportion. The mishandling of this outsourcing deal may have resulted in the leak of the private data of every car owner in the country, including police and military transport. The 2015 leak exposed personal information, such as names, photos and home addresses of millions of Swedish vehicle owners, including fighter pilots of the Swedish air force, police suspects, those under the witness protection program, and the members of the military's most secretive units.
Swedish newspaper Dagens Nyheter (DN) that has seen the police investigation documents, reports that the IBM employees in the Czech Republic were given full access to all data and logs, while firewalls and communications were maintained by a company in Serbia.
Local papers also report that the IBM Serbian branch was also allegedly contracted to operate Sweden's secure government intranet. This gov intranet is then connected to the EU's secure network STESTA, meaning the botched up contract also put the EU's secure network at risk. "The net effect here is that the EU secure Intranet has been leaked to Russia by means of deliberate lawbreaking from high ranking Swedish government officials," Rik Falkvinge, head of privacy at VPN provider Private Internet Access, writes noting the pro-Russian sentiments of Serbia.
"Even if there are additional levels of encryption on STESTA, which there may or may not be, this has "should never happen" written all over it."
Not the first security disaster by STA
Apparently, this isn't the first time that Sweden's transport agency has messed up IT security. Not only did it bungle the deal with IBM, it also emailed the entire vehicle database to marketers subscribing to it last March. While the vehicle register is in public information, this database included the people in the witness protection program. Falkvinge adds that the agency sent a second email pointing these sensitive records out and requesting its subscribers to remove these records themselves, in a cleartext email.
The Swedish government has since been trying to handle the criminal leak of sensitive data away from the public eye. The incident "exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation."
Worst ever government leak in Sweden?
And the sentence?
Maria Ågren, the Director General behind this scandal was fined half a month's salary.
When this verdict was announced after a speedy trial, people started to dig into what actually had happened, eventually resulting in the retirement of the now-former DG in January. Only earlier in July did it surface that she was involved in possibly one of the worst government leaks ever and was found guilty of exposing classified information in a criminal court.
Swedish papers report that the agency report into this incident is so heavily redacted that it's impossible to learn the sensitivity of this exposure. Falkvinge, however, claims that the database had national security information, including:
The weight capacity of all roads and bridges (which is crucial for warfare, and says a lot about what roads are intended to be used as wartime airfields);
Names, photos, and home addresses of fighter pilots in the Air Force;
Names, photos, and home addresses of everybody and anybody in a police register, all of which are classified;
Names, photos, and home addresses of all operators in the military’s most secret units – equivalent to the SAS or SEAL teams;
Names, photos, and home addresses of everybody in a witness relocation program or who has been given protected identity for other reasons;
Type, model, weight, and any defects of any and all government and military vehicles, including their operator, which says a ton about the structure of military support units;
The new Director General says that while there's no guarantee that those who don't have security clearance in Eastern Europe do not still have access to this information, the agency is working to "fix" the issues by fall.
"If a common mortal had leaked this data through this kind of negligence, the penalty would be life in prison," Falkvinge writes. "But not when done by the government themselves. Half a month’s pay was the harshest conceivable sentence."