Nothing is more scarring than the possibility of having your personal data fall into the wrong hands. The impact seems even more callous when the cause behind the breach is not a malicious virus, or a mystery hacker from a far away land, but rather from an oversight by an institution that you’d think would be good at following its own laws- The Government.
While data breaches are sadly a recurring incident, the one that recently caused chaos in Sweden is being dubbed as the largest breach in the nation’s history. This IT scandal shows us just how vulnerable all our personal information is, since everything is recorded and stored in someone’s database, and how its integrity is susceptible to someone else’s strength of character.
The IT Debacle: An Outsourcing Blunder
Even though it’s only now making headlines, the breach actually occurred back in March 2015 when in an attempt to save costs, the Swedish Transportation Agency (STA), Transportstyrelsen- a governmental institution that regulates the transportation systems throughout Sweden, outsourced their database management and other IT operations to IBM Sweden.
Maria Agren, the former director general of the transportation agency, was aware of this imminent transfer, and also about the laws, like the National Security Act, Publicity and Privacy Act, and the Personal Data Act, that required IBM’s staffers working on this project to have proper security clearance before being allowed to work on this contract. These laws exist to protect the integrity of the nation’s most sensitive information and operations from falling into questionable hands. When her department informed her that this process would take time, she decided to bypass the laws designed to keep the integrity of such sensitive and personal records intact.
This, according to a STA staff member, was akin to giving away the “keys to the kingdom”….
Sidestepping these laws gave staffers outside of Sweden access to the transportation agency’s systems, including the employees in the Czech Republic and Serbia who hadn’t undergone the required security clearance process.
It Doesn’t End There: Military, Police, Citizens- Data of Millions of Swedes Leaked
STA then proceeded to upload all of its data onto IBM’s cloud servers, where it was accessible to everyone, including to those unauthorized IT folks without security clearance, and STA’s IT employees who were being laid off.
Then, on March 2016, a group of approved marketers who had subscribed to a special database, were scheduled to get access to the database which only contained publicly available vehicle information. This is quite a normal process. Marketers of these companies usually use this information to send out targeted advertisements to car owners in specific regions.
But on that day, the database that was made available to them contained information on protected identities as well. These are people who are constantly facing serious threats to their safety. The leaked information even included their home addresses. When the Transportation agency realized its mistake, instead of sending them a new list and having them destroy the previous data log, they sent out an open email in clear text, highlighting the chassis numbers and registration info of those with protected identities, asking them to delete those data themselves…
…Quite a bizarre tactic to rectify such an impactful security mistake.
What Information Did the Leak Expose?
This wasn’t just another breach. This was a legendary IT security slip up that exposed substantial amount of Sweden’s most guarded information. The transportation agency is the depository of Sweden’s driver license data, so information linked to every registered vehicle, including military and police, was leaked. This includes the name, photo and home address of millions of Swedish citizens.
Here is some of the classified information that was leaked, according to Rick Falkvinge, founder of Swedish Pirate Party, and other Swedish news:
- Weight capacity of roads, subways, harbors, and bridges that can reveal a lot of information on warfare.
- Name, photos and home address of Swedish combat pilots, everyone in the police’s secret register that are considered to be classified, all the members of military’s most secret units, and everyone in witness relocation programs.
- Details of all military vehicles, and their condition, were also leaked, along with their operators. This has compromised the structural integrity of military support units, and can reveal a lot about order of battle.
- Personal information from all driving licenses in Sweden.
The Slowly Unfolding Aftermath of the Swedish Data Leak
Back in January 2016, Swedish Secret Service came to know about this negligent handling of classified information, and decided to investigate the incident. This resulted in the firing of Maria Agren in January 2017. The reason given at the time for her firing was that Agren’s views on how to carry out agency’s work was not in line with that of the Government. The Swedes came to know about this incident only when in a speedy trial Agren gets convicted of mishandling classified information and fined SKr 70,000 ($8,500 or half of a month’s pay). This is when the public realized something awful had happened.
That day, Prime Minister Stefan Lofven confirmed that he had his suspicions since January when Argen was fired.
On July 14th, it was made known that Transport Agency’s chairman, Rolf Annerberg, had known about these violations in 2015. On his interrogations with Sapo (Swedish Security Service), he mentioned his weekly meeting with Maria Agren, especially the boardroom meeting where they were informed about the two bad choices that faced them- to risk the cancellation of their IT operations or to allow foreign technology to handle their IT systems, while abstaining from the standard security protocol. The board decided to go with Maria’s assessment even though they knew this would give unauthorized technicians a wealth of classified information.
Despite knowing about this all along, he failed to notify anyone. At a press conference, Infrastructure Minister Anne Johansson stated that Rolf Annenberg will step down from his position as the chairman of the board of Swedish transportation.
The employees of STA who knew what was going on were asked to remain silent.
Prime Minister, Stefan Lofven, has called this breach “a total breakdown. It is incredibly serious. It is a violation of the law and put Sweden and its citizens in harm’s way.”
He said that the home affairs minister, Anders Ygeman, and the infrastructure minister, Anna Johansson have both resigned from their positions amidst this scandal.
Where Are We Now?
The investigation that began in January 2016 shows that at least 3 unauthorized people in Czech Republic had access to the data, and they could have stored the information and deleted their electronic footprint.
Jonas Bjelfvenstam, the new director of STA has said that it would take until this fall to properly secure the information that has become available because of the Swedish data leak.
As for the moral of this entire fiasco, Falkvinge says it the best: “Any governmental assurance to keep your data safe have as much value as a truckload of dead rats...”
Accidental leaks of this caliber can easily put the whole country in danger. In times where hackers proactively work toward stealing information, negligence of this sort only makes their job easier.
Open and swift communication between departments, and utmost transparency if a mistake does occur, is absolutely mandatory to find ways to stop the damage in its tracks, before it gets worse and becomes a disaster. Decision makers were kept in the dark by other decision makers.
The political noise that this breach has caused is a necessary one, to prevent further mishaps like these. How much this brings down the government infrastructure only time will tell, but it has triggered important security related conversations that need to be had in order to protect sensitive materials in such an interconnected world.
At the end of the day, data security is your own responsibility. Safe-T’s SDE (Secure Data Exchange) secures every data exchange flow, whether it’s human to application, human to cloud, or business to business. It safeguards high risk data from leakage, malwares, and other cyber crimes, and protects data transfers using Safe-T’s Securestream engine. All stored data gets encrypted. It’s a centralized and integrated data safety solution that defends your data from ending up in the wrong hands.