Privacy of Swedish citizens is at risk as a massive trove of data belonging to Swedish Transport Agency (STA) (Transportstyrelsen) was mistakenly uploaded on a cloud server. The data contained personal and vehicle information of almost every citizen in the country including the military and police officials.
According to Swedish Newspaper report, the breach took place in September 2015 when STA outsourced its IT services including database management to IBM’s subcontractors in the Czech Republic, Romania, and Serbia who had access to the data without any security clearance.
It was only in March 2016 when Swedish Secret Service found out that the data was uploaded to an unprotected cloud server. The investigation revealed that the breach exposed names, addresses, and pictures of millions of citizens, details about people listed in police registers, details of government military vehicles, driver’s license records of fighter pilots of Swedish air force, personal details of military members in secret units and data on critical infrastructure in Sweden including roads and bridges.
Rick Falkvinge, a prominent Swedish privacy advocate and founder of The Pirate Party, wrote that “All of this was not just outside the proper agencies, but outside the European Union, in the hands of people who had absolutely no security clearance. All of this data can be expected to have been permanently exposed.”
“Unlike breaches where malicious users target vulnerable systems, this leak of personally identifiable information was the result of carelessness. Unrestricted access to personally identifiable information and limited recourse in terms of recovering that data are both serious gaps in security.”
Rich Campagna, CEO of Bitglass commented on the issue and said that: “Unlike breaches where malicious users target vulnerable systems, this leak of personally identifiable information was the result of carelessness. Unrestricted access to personally identifiable information and limited recourse in terms of recovering that data are both serious gaps in security.”
STA’s Director General Prosecuted
After the leak, the STA’s Director General Maria Ågren resigned and faced a court case. However, she was only asked to pay half of her monthly salary as a punishment (70,000 Swedish krona which equals to $8,500) which is quite ridiculous when it comes to a national security level breach.
Falkvinge further criticized the court verdict and said that “Given how much the establishment has got each other’s backs, this sentence was roughly equivalent to life in prison for a common person on the street, meaning they must have done something really awful to get not just a guilty verdict, but actually be fined half a month’s salary.”
The Swedish government and security agencies are still looking into the matter. While Mr.Stefan Löfven, Swedish Prime Minister is expected to address the issue today for the very first time. However, at the time of publishing this article, the Swedish media reports claimed that the data is still in the hands of foreign companies and what’s worse is that all the data is in clear text.