Swedish scandalous cloud security leak

A cybersecurity breach scandal involving the Swedish Transport Authority, Transportstyrelsen, erupted late last week and throughout the weekend according to numerous news reports.

The Swedish paper TK is reporting that when Transportstyrelsen outsourced a cloud services contract, technicians who were not Swedish citizens and who did not have security clearances were granted unfettered access to confidential information.

According to CSO Australia, Sweden leaks its military secrets, national driver database in IBM outsourcing deal the transportation agency in 2015 “inked a contract with IBM Sweden, which moved the data to servers at IBM’s Czech Republic operations, where technicians with access to the systems had not undergone Swedish security clearance checks. The contract remains in place today,” CSO reported.

“IBM also subcontracted NCR Corporation in Serbia to operate communications networks and firewalls, providing several staff with access to encrypted traffic between over 30 Swedish authorities that use government’s secure communications system, SGSI, or Secure Government Swedish Intranet. NCR technicians also had not undergone clearance checks,” the story continued.

As The Register reported the “databases pushed to the IBM cloud covered every vehicle in the country – including police and military registrations, plus details of individuals on witness protection programs. Individuals in the database include members of the military, including members of special forces units whose identity and photographs are supposed to be secret.

Falkvinge writes the incident “exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation.”

Also according to The Register, “the leak seems to have happened over email after the transport agency e-mailed the entire database in clear text messages to marketers that subscribe to it – and when the error was discovered, the agency merely sent a new list and told subscribers to delete the old list themselves.”

The then head of the transportation agency, Maria Ågren, was relieved of her post and  fined roughly two-week’s pay in January after having pled guilty to being careless with secret information.

"There’s an enormous amount of data in Swedish about the overall leak scandal, but among all that data, one piece bears mentioning just to highlight the generally sloppy, negligent, and indeed criminal, attitude toward sensitive information," said Rick Falkvinge, head of privacy at Private Internet Access and the founder of the first Pirate Party, the one who brough this local issue to the attention of international press.