Swedish PM admits that huge data leak is ‘a disaster’

The Swedish prime minister has admitted that the leak of the confidential data of millions of Swedes as a result of the country’s transport agency outsourcing operations to third party contractors is “a disaster”.

Speaking in Stockholm on Monday, Stefan Löfven (pictured) also confirmed that he had known about the leak since January, with other ministers being aware of it as long as 18 months ago, the FT reported.

Swedish media have reported that the leaked data includes defence plans and details of witness protection schemes – which a  large number of foreign nationals had unencumbered access to while the Swedish transport agency began outsourcing its operations. The Swedes expect to fix the problem – but  not completely until sometime in the fall.

What’s the backstory?

Back in 2015, the Swedish Transport Agency, which regulates everything from civil aviation to driving licenses,  crafted a SEK 800M ($98M) contract  – one of the largest IT contracts in Swedish history – to outsource database and IT service management. That contract was won by IBM Sweden, which in turn outsourced the operations to countries in eastern Europe, with the result that “foreign staff had responsibility for Swedish classified information”.

It seems that as the data was uploaded to the cloud servers, it was available to people outside Sweden who didn’t have security clearance.

To make matters worse, it seems that the transport agency’s director-general, Maria Ågren, had “decided to abstain” from the National Security Act, the Personal Data Act and the Publicity and Privacy Act when overseeing the outsourcing project, according to a statement from the agency.

What’s do we know about what’s been exposed?

The agency has information on all vehicles in Sweden, including some, but not all military vehicles. It also is the depository for the nation’s driver’s license data, including photos – which also happens to include individuals under protective order, and those of undercover law enforcement workers.  Additionally, the nation’s infrastructure data with respect to roads, ports, air, rail, etc., is under its sway

In an opinion piece, Swedish television’s Oskar Jönsson notes that the police have confirmed that the information “disclosed could be used by foreign powers to identify military and police facilities”. Furthermore, it is described as tantamount to giving someone “the keys to the Kingdom of Sweden”. Jönsson also confirms he has the 248-page investigatory report, which appeared in his mailbox a few weeks ago.

What access do the foreign nationals have to the Swedish databases?

According to the police, the employees in the Czech Republic had (for a period) greater access to the transport agency’s servers than the transport agency itself had. They controlled the servers (in the cloud) from the Czech Republic.

Why should we care?

Other nations have an interest in personal information and national infrastructure information. According to SAPO (Swedish Security Service) in its 2016 Annual Report, the services works diligently to avoid having any individual, be they an agent of a foreign power or one operating in a grossly negligent manner, expose national information of a secret nature to any unauthorized person.

Furthermore, the security service chairs the National Collaboration for the Protection against serious IT Threats (NIST) which works with the military and defense signals departments to thwart the efforts from an “attacker to access or damage Swedish civilian and military resources”.

The SAPO annual report also details how nation states will target Sweden and its citizens for information on technology, infrastructure and personnel. Chief information security officer at the Internet Foundation in Sweden, Ann-Marie Eklund Löwinder, is quoted by Swedish TV (loosely translated)

It’s not that other states do not take our information. This type of information has always been of interest to intelligence. This is almost like we published the information publicly.

Furthermore, the transport agency has access to the European Union’s STESTA (secure network) and the Secure Government Swedish Intranet (SGSI), and this access could have been exposed to non-authorized contractors working on the project.

Is this the first time the transport agency has had an event that leaked sensitive information? Sadly no, in March 2016 (in the midst of this data transition) the agency sent out the mailing list of all cars and their owners, including people with “protected identities”. Upon realizing the error, they then compiled a list of these individuals and sent that refined (and sensitive list) to those who had received the initial mailing and asked the recipients to remove the vehicles identified from the original mailing list.

What’s happened?

The timeline as provided by Swedish Television is as follows:

2015 – The transport agency outsources its automotive/license registration to IBM. The effort includes more than 1,000 servers, data centers and support.

June 2015 – Sweden’s security service checks on the transfer of IT operations and notes that IBM has placed operations in Serbia and the Czech Republic

November 2015 – Sweden’s security service calls for an end to the outsourcing.

January 2016  – Its calls ignored, the security service begins a “preliminary investigation into negligence with secret information”

January 2017 – Transport agency director-general Maria Ågren is fired

July 6 2017 – Ågren is convicted of mishandling the information and fined SEK 70,000 ($8,500).

July 6 2017 – Prime minister Stefan Löfven confirms that the transport agency has exposed government databases to unauthorized foreign entities and that Ågren signed the authorization

Speaking to journalists on Monday, Löfven said that “what happened in the transport agency is a disaster. It is extremely serious. It has exposed both Sweden and Swedish citizens to risks.” He added that he continued to have full faith in his ministers – but opposition parties were reported to be considering a vote of no confidence.

To be clear, there’s no suggestion that IBM Sweden is in the wrong – and IBM has declined to comment on the row.

This is one which we will continue to follow.