In a slowly-unfolding scandal in Sweden, it's emerged that the country's transport agency bungled an outsourcing deal with IBM, putting both individuals and national security at risk.
Pirate Party founder and now head of privacy at VPN provider Private Internet Access Rik Falkvinge has been working to bring details of the scandal into the Anglosphere.
Falkvinge writes Sweden's government has been trying to handle the huge leak of sensitive data away from the public eye.
The story goes back to 2015, when Sweden's transport agency awarded IBM a contract to manage its databases and networks.
The databases pushed to the IBM cloud covered every vehicle in the country – including police and military registrations, plus details of individuals on witness protection programs. Individuals in the database include members of the military, including members of special forces units whose identity and photographs are supposed to be secret.
Any governmental assurances to keep your data safe have as much value as a truckload of dead rats in a tampon factory.
Falkvinge writes the incident “exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation.”
The leak seems to have happened over email after the transport agency e-mailed the entire database in clear text messages to marketers that subscribe to it – and when the error was discovered, the agency merely sent a new list and told subscribers to delete the old list themselves.
As Thelocal reports, the scandal didn't end there: the outsourcing deal gave IBM workers outside Sweden access to the transport agency's systems without proper security clearance.
Those staffers and contractors included personnel in the Czech Republic, who had access to all data and logs; while a company in Serbia managed firewalls and communications.
TheLocal says a security agency report into the blunder is so heavily redacted that it's impossible to know if national security was compromised. However, Falkvinge says the database included national security information such as:
- Road and bridge loading capacity, which would indicate what routes are designed to act as ad-hoc airfields in a crisis; and
- ”Type, model, weight, and any defects of any and all government and military vehicles, including their operator”.
Even when the now-former head of the transport agency, Maria Ågren, was fined half a month's pay in January after entering a guilty plea to being careless with secret information, the agency was unable to guarantee the security of its data.
On Friday, the agency's new director-general Jonas Bjelfvenstam said the systems will be secured by the northern Autumn.
Falkvinge's assessment of the incident is scathting. "It goes to show, again, that governments can’t even keep their most secret data under wraps," he wrote, "so any governmental assurances to keep your data safe have as much value as a truckload of dead rats in a tampon factory." ®