[BreachExchange] Sweden Grapples with Sensitive Data Leak Scandal

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jul 25 19:16:20 EDT 2017


http://www.databreachtoday.com/sweden-grapples-sensitive-
data-leak-scandal-a-10139

Sweden is grappling with the fallout from a sensitive data breach that
occurred two years ago and the scope of which has only recently trickled
out. It resulted in the prosecution of the former head of the Transport
Agency and deep questions over an outsourcing arrangement with IBM.

Prime Minister Stefan Löfven is expected to address the issue for the first
time on Monday after a shake -up of senior-level management in Transport
Styrelsen, or Transport Agency, and its board.

There are differing accounts of what was exposed. But it indisputably
included the country's driver's license database, including photos, and
information on whether an individual was in a witness relocation program.

The Transport Agency sought in a news release Sunday to tamp down concerns.
But it has acknowledged that the agency's director general took security
shortcuts when overseeing a revamp of its IT infrastructure that allowed
foreign contractors who did not have proper security clearances to view
data.

The drip-fed details - including the light fine for the former Director
General of the Transport Agency, Maria Ågren, for violating privacy laws
and information handling regulations - have been met with harsh criticism.
And there are lingering questions on how the exposure could affect Swedes.

"All of this was not just outside the proper agencies, but outside the
European Union, in the hands of people who had absolutely no security
clearance," writes Rick Falkvinge, a well-known privacy activist and
founder of the Pirate Party. "All of this data can be expected to have been
permanently exposed."

Where it Began

The Transport Agency signed an agreement with IBM in April 2015 to run its
information systems. Sometime after that agreement, Ågren "decided to
abstain" from three privacy and data protection laws as well as internal
information security guidance, the agency says in a FAQ published Sunday.

According to a report in The Local, IBM used subcontractors in the Czech
Republic, Romania and Serbia, which then had access to the data, but did
not hold proper security clearances.

IBM officials were not immmediately available for comment. The Transport
Agency says it doesn't have any indication that the personal data was
exposed beyond the contractors. But that's probably little consolation for
someone in a witness protection program.

To that end, the agency addressed those people directly. It says that the
contract it has with IBM mandates that Big Blue comply with the provisions
of the country's Personal Data Act and that the information is not supposed
to be shared with unauthorized parties.

"We have no indications indicating that data was disseminated improperly,
so we do not see any direct cause for concern," the agency says.

The staff used by IBM and its subcontractors are "security-controlled by
their own organization and have also signed a confidentiality agreement,"
but that regimen is not equivalent to the checks required in Sweden for
access to such data, it says.

The exposure was apparently caught not long after the outsourcing
arrangement began, and the Swedish Security Services began an 18-month
review of the Transport Agency, which ended in June.

According to news reports, the exposure went far beyond just driver's
license records and included personal details for Swedish Air Force pilots,
people listed in police registers, personal details for military members in
secret units, and details of government military vehicles and data on
Swedish infrastructure, such as bridges.

In its FAQ, the Transport Agency maintained that most of its data is
public, but that it could not outline the more sensitive data it holds. It
says it does not hold data on military vehicles or have information on
pilots, airports or aircraft or shipping-related data.

Director General Prosecuted

The violation of protocol was enough that in January 2016, prosecutors
began investigating based on a report from the Swedish Security Service.

On Jan. 19, Ågren resigned. At the time, it was unclear why. On June 26,
she was fined 70,000 kronor - about $8,500 U.S. - for negligence without
intent. Given the depth of the exposure, Falkvinge says that's not enough.
"Let's be clear: if a common mortal had leaked this data through this kind
of negligence, the penalty would be life in prison," he writes. "But not
when done by the government themselves. Half a month's pay was the harshest
conceivable sentence."

Sweden is still dealing with the cleanup. Although the first indications of
something awry appeared two years ago, the cleanup work is not done. The
Transport Agency says that between May and July 2016, authorized personnel
within Sweden took over network, server and storage administration.

But it is still working to ensure that the administration of "application
operations" will run in the same way. That work, which the agency describes
as "technically complicated and comprehensive," is expected to be completed
later this year.

"We have ongoing work with our operating supplier for the purpose of
controlling operations where only Swedish security-approved personnel will
be responsible for the entire operation," the agency says. "At the moment,
work is under way to speed up the process with our operating supplier."

IBM's contract with the Transport Agency runs through October 2020.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170725/1b34b5f1/attachment.html>


More information about the BreachExchange mailing list