It emerged this week that Sweden's security police Säpo investigated Transportstyrelsen after key information was made available to IT workers in other countries who had not gone through the usual security clearance checks when the agency outsourced its IT maintenance to IBM in 2015.
Swedish newspaper DN now reports that three IT workers in the Czech Republic were able to access all stored information during this period – including two confidential police databases which Transportstyrelsen's staff use when they look at driving licence applications.
These included criminal records and a database where the police keep information about people suspected of crimes – where in some cases even the suspects do not know they are being investigated.
“In that case you have opened up the possibility of accessing secret information that can be used against individuals, but also by organized crime which can make money from selling the data. You can also manipulate it by deleting or adding information,” security expert Johan Wiktorin told DN.
According to public broadcaster SVT, a register containing information about all of Sweden's military vehicles was also part of the data which non security-cleared foreign IT workers had access to.
IT workers from a company in Serbia were also able to monitor traffic between Transportstyrelsen and 34 Swedish government agency via the Swedish Government Secure Intranet (SGSI).
The system is connected to a protected EU network, TESTA, and only Swedish citizens who have undergone special training are allowed to access it. The Serbian staff were therefore not given the cryptokeys, but were able to monitor communication via the network, writes DN.
“It is serious if you put normal rules to the side. Foreign powers can see from the traffic pattern when the system is vulnerable due to maintenance work. And in the case of sudden incidents it is possible to measure Swedish authorities' response times and know with whom Transportstyrelsen communicates – in short how state transport management works in a crisis situation,” said Wiktorin.
The maintenance of Transportstyrelsen's IT system was outsourced to IBM in April 2015 in order to save money. But the transfer took place under time pressure, because the Swedish Transport Administration (Trafikverket) which previously ran the registers had already started letting staff go, and Transportstyrelsen's CEO Maria Ågren made a decision to bypass the usual security rules.
She was fired in January 2017 and recently fined 70,000 kronor after a Säpo investigation.
The scandal has stirred debate in Sweden, where authorities have been criticized in the past for not doing enough to boost cyber security, and political opposition parties have pressed the government for information about when they knew about the incident and why parliament was not informed.
On Friday afternoon Infrastructure Minister Anna Johansson held an extraordinary meeting with Sweden's parliamentary defence committee and committee on transport, with representatives from Säpo and the Transport Agency also invited.
Opposition party members have urged further clarification over what happened.
“It's now important to clarify what damage has occurred, for individuals, for companies and for the realm. And how has the confidence in Swedish authorities been damaged? Are there more authorities under Anna Johansson where something similar has occurred?” Anders Åkesson, Centre Party representative on the transport committee asked.