There are security fuck-ups and there are legendary security fuck-ups. This one clearly falls into the latter category. Swedish Prime Minister Stefan Lofven confirmed at a press conference on Monday that his administration potentially exposed the personal information of millions of Sweden’s citizens.
Normally, for a fuck-up to be legendary, it needs the benefit of time—something doesn’t just instantly become a legend. Well, even though this story is just now getting attention, the initial fuck-up occurred back in September of 2015. That’s when the Swedish Transport Agency (STA) started outsourcing its database and IT service management to private companies like IBM in the Czech Republic and NCR in Serbia.
What happened next is only gradually becoming clear. A series of reports by Swedish newspaper Dagens Nyheter began to bring more information to the public in mid-July, and Pirate Party founder/privacy advocate Rick Falkvinge has been distributing the information for the English-speaking world.
From what we understand, the agency proceeded to upload all of its data to IBM and NCR’s cloud servers, where it was accessible by people outside of Sweden who didn’t have proper security clearance.
This information included all the details you’d find on a vehicle registry: the names, photos, and home addresses of millions of Swedish citizens. That’s enough of a problem in and of itself. But this info was publicly available by request. What wasn’t publicly available was the personal information on members of the military, secretive special forces, suspects wanted by police, citizens in witness protection, complete information about the model and condition of all military vehicles, and technical specs on roads and bridges.
While Serbia and the Czech Republic aren’t exactly enemies of Sweden, both countries have taken anti-EU positions and their intelligence services would likely be interested in all of this restricted data.
On top of that, the data was also available to all of the STA IT workers in Sweden as they were being laid off. Meaning that disgruntled workers could download it for a short time. Then, another breach occurred.
In March of 2016, the publicly available vehicle information was supposed to be made available to approved marketers who subscribe to a special database. Somehow, the database also contained the information of the thousands of people with protected identities. The Swedish Secret Service caught wind of the mistake and notified the STA. Administrators proceeded to make a bad situation worse by sending out an average everyday email in cleartext that identified all of the information that is supposed to be protected, and they asked vendors to simply remove it from their databases.
STA’s Director General Maria Ågren resigned in January due to “different views on how the business would be conducted,” according to Swedish news outlet SVT. Ågren was fined $8,500 by a Swedish court last month for being careless with secret information, according to the Financial Times.
Seriously, let that sink in. The Director General admitted to signing “a decision to abandon current legislation and the Transport Agency’s guidelines for accessing systems and servers,” that subsequently exposed tons of secure data, and she was fined $8,500.
At Monday’s press conference, Prime Minister Lofven said that he’s known about the situation since January. He said that a review of internal policies would be conducted and he still has full faith in all his ministers. Opposition parties have indicated that they are considering putting a no-confidence motion in front of Parliament for debate.
You can read a full timeline of this absurd tale right here. And it would be a dereliction of duty not to include Falkvinge’s assessment of the moral of this story: “Any governmental assurances to keep your data safe have as much value as a truckload of dead rats in a tampon factory.” [SVT, The Hacker News, Bloomberg, Private Internet Access, Financial Times]