Sweden's security police Säpo has investigated the Swedish Transport Agency (Transportstyrelsen) after information about all vehicles in the country – including police and military – was made available to IT workers in Eastern Europe who had not gone through the usual security clearance checks when the agency outsourced its IT maintenance to IBM in 2015.
The scandal hit the headlines in Sweden when it emerged that former director-general Maria Ågren – who was fired for undisclosed reasons in January 2017 – had been fined 70,000 kronor after the probe found her guilty of being “careless with secret information”.
IBM administrators in the Czech Republic were given full access to all data and logs, reports Swedish newspaper Dagens Nyheter (DN) which has seen the Säpo investigation documents. Firewalls and communications were meanwhile maintained by a company in Serbia.
One Transport Agency staff member described the outsourcing without proper security checks as handing over “the keys to the Kingdom” in an interview with Säpo, reports DN.
“The fact that a security check has not been made is serious. That means you have not tested the people's loyalty and don't know if you can trust them from the Swedish side. In the case of Serbia there's a fairly close relationship between the Serbian and Russian intelligence services. In the worst case, foreign intelligence services have been given an access route into the computer systems,” security expert Johan Wiktorin told DN.
“I think it is serious that security protection is not taken seriously at so many government agencies, including the Transport Agency in this case,” prosecutor Ewamari Häggkvist told Swedish public radio.
“It is not forbidden in Sweden to place data services in other countries, even if you're an authority that holds secret information. But what it's about is that people need security clearance to handle such data, and that's where they failed.”
The maintenance of the Transport Agency's vehicle and licence register was outsourced to IBM in April 2015 in order to save money. But the transfer took place under time pressure, because the Swedish Transport Administration (Trafikverket) which previously ran the register had already started letting staff go, and Ågren said she saw no other option than to bypass the usual security rules.
It is not known whether the security glitch caused any major damage. The question of whether or not Sweden's national security was harmed is censored in the Säpo report.
Swedish authorities' IT security has come under fire several times in the past year. Last year the National Audit Office (Riksrevisionen) scrutinized nine state-controlled agencies and found that it was not “a sufficiently high priority (…) in relation to the risks that exist”.
Last month the centre-left government presented a new national strategy for information and cyber security.
“If you have information critical to society it is not a good idea to store it somewhere where you can't control it. The risk of using foreign cloud services is that you can't control who could be able to access the information. If we're talking about an attacker who is a high-capacity foreign state that type of outsourcing carries obvious risks,” Interior Minister Anders Ygeman was quoted by the TT newswire as saying at the time.