The Biggest Data Leak in Swedish History was also the Most Avoidable
It’s been described as “the biggest leak in Swedish history”, and it’s easy to see why.
Looking to cut costs, in 2015, the Swedish Transport Agency (STA) outsourced the management of its database and IT infrastructure to two companies — IBM in the Czech Republic, and NCR in Serbia.
Given the sensitivity of the data, it should have only really been accessed by authorized personnel. But the STA was eager to deploy the system, ostensibly to save money on labor costs, and it bypassed vital security checks that would have otherwise prevented Czech and Serbian techies from working on the system.
Per Infosecurity Magazine, the database contained:
vehicle registration data from every Swedish citizen, data on all government/military vehicles, the weight capacity of all roads and bridges, names, photos and home addresses of Air Force pilots, police suspects, elite SAS-style operatives and anyone in a witness protection scheme.
There are also concerns that the European Union’s secure STESTA network, which was connected to the Swedish government intranet, was also compromised.
Serbia has pivoted closer to Russia in recent years, and there is a concern that information from this database will be obtained by Russian intelligence. According to Swedish Pirate Party founder Rick Falkvinge:
While it can’t be proven in this specific case that high-value military information in Serbia’s hands also comes into Russia’s hands, it’s one of those things that should just be assumed in the general case.
The idea that Sweden — a member of the European Union, and a prospective NATO member — could be so careless with such sensitive information, is deeply troubling.
The Swedish-equivalent of the DMV didn’t just dox its citizens, but also released strategically-crucial defense information, as well as potentially compromised the security of the EU secure intranet.
But that’s only part of the story. Sweden’s impotent response deserves serious scrutiny.
Documents published show the Swedish government — particularly the Interior Minister and the Infrastructure Minister — knew about the insecure handling of the data as early as 18 months ago. As pointed out by Falkvinge, “they said and did nothing.” (Emphasis his)
The civil servant responsible for this spectacular (and catastrophic) screwup admitted “criminal negligence in handling classified information,” and punished with a fine equivalent to half a month’s salary.
Given the very public outcry, both within Sweden and outside, I would certainly hope they’re scrambling to fix this calamity, which the country’s prime minister has described as “a disaster.”
At the very least, I’d hope they’ve learned a lesson about the nature of the cloud, and why going cheap isn’t always a good idea when it comes to critical technological infrastructure.
The unfortunate reality is that if the Swedish Transport Agency wasn’t so driven by a desire to cut costs, or at least was more discerning with where it offshored its data, it wouldn’t have found itself in this position.