Sweden's government has exposed sensitive and personal data of millions, along with the nation's military secrets, in what is now considered to be one of the worst government IT disasters ever. The leak, which occurred in 2015, saw the names, photos and home addresses of millions exposed. Those affected include fighter pilots of Swedish air force, police suspects, people under the witness relocation programme, members of the military's most secretive units (equivalent to the SAS or SEAL teams) and more.
The leak occurred after the Swedish Transportation Agency (STA) decided to outsource its database management and other IT services to firms such as IBM and NCR. However, the STA uploaded its entire database onto cloud servers, which included details on every single vehicle in the country. The database was then emailed to marketers in clear text message. When the error was discovered, the STA merely sent another email asking the marketing subscribers to delete the previous list themselves.
According to local reports, the value of data leaked was tantamount to handing over the "keys to the kingdom". IBM's Serbian branch was also allegedly contracted to operate Sweden's secure government intranet, which in turn is connected to the EU's secure network STESTA. In other words, the EU's secure network was also exposed to those who gained access to the database. What is worse, those provided access to the database are allegedly foreign nationals in countries that are increasingly pro-Russia and anti-EU.
"The net effect here is that the EU secure Intranet has been leaked to Russia by means of deliberate lawbreaking from high ranking Swedish government officials. Even if there are additional levels of encryption on STESTA, which there may or may not be, this has "should never happen" written all over it," said Rick Falkvinge of the privacy advocating organisation Private Internet Access.
Although the leak occurred in 2015, Sweden's Secret Service only discovered the breach in 2016 and began investigating the incident. According to a report by The Local, STA director-general Maria Ågren was quietly fired in January. She was found guilty of being "careless with secret information" and was fined 70,000 Swedish krona ($8,500, £6,500).
"It started out with a very speedy trial where a Director General in Sweden was fined half a month's pay. Given how much the establishment has got each other's backs, this sentence was roughly equivalent to life in prison for a common person on the street, meaning they must have done something really awful to get not just a guilty verdict, but actually be fined half a month's salary," Falkvinge said. "Let's be clear: if a common mortal had leaked this data through this kind of negligence, the penalty would be life in prison. But not when done by the government themselves. Half a month's pay was the harshest conceivable sentence."
Unfortunately, the STA's leaked database remains under management of the two foreign firms, even as the Swedish government continues to investigate the scope of the leak. Meanwhile, the leaked database may be secured in the fall, according to STA's new director-general Jonas Bjelfvenstam, Swedish newspaper Dagens Nyheter reported.