Sweden, careful and conscientious Sweden, has a massive data breach

July 26, 2017 |

It is not too common that Sweden finds its itself as the victim of a massive data breach.  It was an early implementer of data protection laws and generally has been seen as having a good system in place to protect personal information.  As the itnews article  Sweden exposed sensitive data on citizens, military personnel and the New York Times with Swedish Government Scrambles to Contain Damage From Data Breach that maintaining proper data security is a constant challenge. It is likely to be regarded as a case study in what to do and especially what not to do in responding to a data breach.

That the Swedish Transport Authority would engage an outside contractor to store data in the cloud is not exceptional.  It was, after all, IBM.  However IBM used sub contractors in the Czech Republic and Romania.  No doubt for reasons other than their picturesque surroundings.  The data was provided unredacted and without restriction which meant that data relating to people in witness protection was included.  That was bad enough but it appears that when the government became aware it did what governments all too often do.  Kept quiet.  Until now.  The consequences of the breach are, as expected, severe.  Jobs have been lost and prosecutions launched.  There is the potential for the Government to suffer politically.

The itNews article provides:

Swedish authorities are battling to contain a major privacy breach that has seen sensitive information on its citizens and the country’s military leaked to companies and individuals outside the Nordic nation.

In 2015 the Swedish Transport Authority hired IBM to move the country’s drivers licence register to the cloud. IBM in turn used subcontractors in the Czech Republic and Romania.

These contractors were given access to the full dataset from the Transport Authority, which included information like photographs and home addresses on Swedish Air Force and special forces personnel.

The overseas contractors did not have security clearance to view such sensitive information, which also included road and bridge weight capacities and whether a vehicle is armoured, Sweden’s national TV broadcaster SvT reported.

People in witness protection programs were also included in the drivers licence data.

Rather than making available a redacted version of the database, the Swedish Transport Authority instead sent out clear text emails to the companies asking them to manually delete the sensitive information they held.

The email messages listed the full details of the individuals the government agency wanted removed.

While the data breach took place in March last year when the unredacted information was made available, the scandal has only now come into the public eye.

Sweden’s government knew about the data breach last year but kept quiet about it, according to SvT.

The general-director of the Swedish Transport Authority, Maria Ågren, resigned from her position in January this year.

Her resignation was originally attributed to differences with the government, but in July this year, Ågren was fined SEK 70,000 (A$10,740) for leaking classified information and harming national security.

Speaking to Swedish media, the newly appointed general-director of the country’s Transport Authority, Jonas Bjelfvenstam, said the government agency has embarked on a set of measures to improve its IT security, but cannot guarantee that foreigners without security clearance won’t have access to the sensitive data in the drivers licence database.


One Response to “Sweden, careful and conscientious Sweden, has a massive data breach”

  1. Sweden, careful and conscientious Sweden, has a massive data breach | Australian Law Blogs

    […] Sweden, careful and conscientious Sweden, has a massive data breach […]

Leave a Reply

Verified by MonsterInsights