The Swedish government has become embroiled in scandal after it emerged a mishandled outsourcing deal may have led to the leak of the private data of every car driver in the country.
As reported by Swedish media publication Thelocal, local law enforcement is investigating the Swedish Transport Agency (Transportstyrelsen) after an outsourcing deal with IBM went awry, leading to the exposure of information about every vehicle in the country — including police and military transport.
While outsourcing isn’t necessarily an issue, the problem, in this case, is that Eastern European IT staff given the contract had not undergone typical security clearance checks.
This story began back in 2015 when IBM received an IT maintenance contract from Transportstyrelsen.
Swedish newspaper Dagens Nyheter (DN) reports that IBM administrators were able to access all data and logs and, in an expose by VPN provider Private Internet Access head of Privacy Rik Falkvinge, it also appears that the leak could have disasterous consequences for national security.
Falkvinge says that the names, photos, and home addresses of Air Force fighter pilots, secretive military units and those in witness relocation programs were also exposed, alongside information related to military vehicles, the weight capacity of all roads and bridges, and the identity of anyone in police registers.
Former Director General of the Transport Agency Maria Ågren was fired in 2017, but it has only emerged now that the now-retired government official has been fined 70,000 kronor after an investigation into the potential leak found her guilty of being “careless with secret information,” according to the publication.
This is not the first time the transport authority’s security processes have been found lacking.
Last March, the country’s vehicle register was sent to marketers subscribing to it. This is nothing unusual, however, the copy was sent as a full list including the identities of those in witness protection and similar programs, which were pointed out with a request for subscribers to delete such records themselves.
To make matters worse, the information was sent in a clear-text email.
This potentially devastating breach of data protection is ongoing and according to the transport agency, may not be fixed until the fall. Director General Jonas Bjelfvenstam said that he cannot guarantee those without security clearance in Europe do not still have access to this information.
“When our action program is completed in the fall, then it will be possible to rule it out,” Bjelfvenstam admitted.
Earlier this month, security experts warned that customers of telecommunications giant Verizon were still at risk of their personal information being used fraudulently after an exposed and unprotected Amazon S3 cloud server was discovered holding customers account details for the past six months. This sensitive data included millions of individual customer names, phone numbers, and their account PINs.