Sweden leaks top-secret records in data centre outsourcing ‘disaster’
Mon 24 Jul 2017
Sweden is facing a considerable clean-up following a sensitive national data breach which took place in 2014 – the details of which have recently come to light.
The data leak, which exposed top secret police databases to Czech IT workers, resulted in the prosecution of the former head of the country’s Transport Agency, Maria Ågren, and has raised major concern over the government department’s data centre outsourcing agreement with IBM.
Swedish Prime Minister Stefan Löfven has addressed the issue, describing the slip-up as a ‘disaster’.
‘What happened at the Transport Agency (Transportstyrelsen) was a disaster. The government has therefore replaced the leadership of the authority and ensured that the relevant authorities have taken measures to limit the harmful effect,’ he commented in an official statement.
While there are differing reports on the leaked information, it supposedly contained details on Swedish driving licenses, including photos, as well as geographic data related to witness protection programmes.
It has also been suggested that the files included information on Swedish Air Force pilots, people listed in police registers, military members in secret units, details of government military vehicles and data on Swedish infrastructure.
The Transport Agency has admitted that Ågren took shortcuts when overseeing the security of the department’s IT infrastructure, allowing foreign contractors access to the data without the necessary security clearances.
‘All of this was not just outside the proper agencies, but outside the European Union, in the hands of people who had absolutely no security clearance,’ wrote privacy activist Rick Falkving in a blog post. ‘All of this data can be expected to have been permanently exposed.’
The Swedish Transport Agency signed a partnership with IBM in April 2015, agreeing that the tech giant would manage its IT systems. Ågren later ‘decided to abstain’ from three privacy and data protection laws, as well as internal information security guidelines, according to a department FAQ on the issue.
The reports suggest that IBM was employing subcontractors in the Czech Republic, Romania and Serbia, which had access to the data, but did not hold the relevant security permissions.