Swedish Government Scrambles to Contain Damage From Data Breach

This post was originally published on this site
https://static01.nyt.com/images/2017/07/26/world/26Sweden/26Sweden-moth.jpg

STOCKHOLM — Sweden’s government is scrambling to contain the political fallout from a huge breach of confidential data, including the possible disclosure of the identities of undercover operatives, under the watch of a government contractor.

The breach was disclosed this month by the Swedish newspaper Dagens Nyheter, when it reported that Maria Agren, the former director general of the Swedish Transport Agency, had been fired in January for negligent handling of classified data.

The agency entered into an outsourcing agreement with IBM Sweden in April 2015, worth nearly $100 million, to manage vehicle registration and driver’s license databases.

But adequate safeguards were not adopted, and as a result, unauthorized personnel at IBM subsidiaries in Eastern Europe had access to vast troves of sensitive information, including details about bridges, roads, ports, the subway system in Stockholm and other infrastructure.

In addition, the identities of people working undercover for the Swedish police and the Swedish security service, known as Sapo, may have been revealed, along with names of people working undercover for the special intelligence unit of the Swedish armed forces.

Unlike other cases involving breaches of government data, the case in Sweden does not appear to involve hacking or other malice. Instead, the focus has been on an apparent absence of proper safeguards and oversight.

On Monday, Prime Minister Stefan Lofven called the breach of information “a total breakdown.” He said: “It is incredibly serious. It is a violation of the law and put Sweden and its citizens in harm’s way.”

Anders Thornberg, head of the Swedish Security Service, told journalists: “This is very serious because it could damage our operational business that we are conducting every day in order to protect Sweden.”

Members of Parliament have not been satisfied by those assurances. On Tuesday, they interviewed Defense Minister Peter Hultqvist and Interior Minister Anders Ygeman behind closed doors, asking why Mr. Lofven was only informed of the breach in January, at least 10 months after they became aware of it.

The scandal could throw the government, which is dominated by Mr. Lofven’s center-left Social Democrats, into turmoil. In a phone interview, Anna Kinberg Batra, the leader of the opposition Moderate Party, said a no-confidence vote in one or more ministers was possible.

“They have failed to communicate among themselves and to the prime minister, to the opposition and to the Swedish people,” she said.

“I think the public needs to know if our national security is jeopardized or not. In my mind the minister must swiftly inform the prime minister, who apparently hadn’t heard of this until this year. That is really the essence of the crisis of confidence.”

According to the results of a preliminary investigation that began in January 2016, at least three unauthorized people in the Czech Republic had full access to the databases, meaning that they could copy the information and erase their electronic footprints.

The new director general of the transport agency, Jonas Bjelfvenstam, has said it will take until this fall to secure the leaked information.

Sapo urged in November 2015 that the outsourcing deal be stopped, but its recommendation was not followed, according to Dagens Nyheter.

Ms. Agren, the fired head of the transport agency, was fined $8,500 last month for being careless with sensitive information and sidestepping laws designed to protect security, privacy and details surrounding personal identity data.

Bengt Erik Angerfelt, a retired cybersecurity expert who worked with I.T. security and internet crime for the Swedish police, Sapo and Interpol, said he was not surprised by the scandal given pressures to cut costs and the ever-increasing complexity of a connected world.

“One is trying to do things as cheaply as possible and it’s expensive to hire your own personnel,” he said in a phone interview. “To do security checks on personnel in other countries is difficult.”

The head of information technology at the transport agency admitted to Sapo, the security service, that “the keys to the kingdom” had been given away, Dagens Nyheter reported on July 14, citing the preliminary investigation report by Sapo.

The transport agency manages millions of personal records and data about the infrastructure of the country’s defense. Anyone with a driver’s license, and toll-paying motorists in Stockholm, are registered, as are pilots, train conductors and air traffic controllers.

Through this information it is also possible to trace people with protected identities, armored vehicles, missing vehicles as well as where and when the transport of valuables and money are scheduled, Dagens Nyheter reported.

Ms. Agren’s sidestepping of the laws meant IBM Sweden had free rein to give access to people who had not received security clearance, it reported. It said that the project manager for the outsourcing agreement admitted during questioning that “he had no knowledge whatsoever of how to ensure security.”

IBM Sweden could not be immediately reached for comment.