A leak, an apparent cover up, and a paltry fine for one of the biggest government leaks in history.
The Swedish Transport Authority (Transportstyrelsen) is in hot water over a massive IT outsourcing deal with IBM that exposed the nation’s transport register, police registers and military secrets to foreign nationals.
Under pressure to cut costs and modernize IT systems, the agency in 2015 inked a contract with IBM Sweden, which moved the data to servers at IBM’s Czech Republic operations, where technicians with access to the systems had not undergone Swedish security clearance checks. The contract remains in place today.
IBM also subcontracted NCR Corporation in Serbia to operate communications networks and firewalls, providing several staff with access to encrypted traffic between over 30 Swedish authorities that use government’s secure communications system, SGSI, or Secure Government Swedish Intranet. NCR technicians also had not undergone clearance checks.
Serbia is not part of the EU and is a concern to Swedish intelligence due to Serbia’s close ties with Russian intelligence. NCR’s staff didn’t have access to the content of communications, but could view metadata associated with them, which could be valuable to foreign intelligence agencies.
Information exposed to IBM’s Czech operations include the names, addresses, and photos of every resident with a Swedish drivers license.
However, the most controversial aspect of the leak is that it revealed the nation’s roads, rail and maritime infrastructure, air force pilots identities, and individuals in Sweden's witness protection programs.
Sweden’s Defense Force vehicle register may have also been exposed via the agency's contract with IBM.
The first hint of what has become a full blown scandal this month emerged in January after the sudden and unexplained departure of Transportstyrelsen’s director general, Maria Ågren.
Earlier this month it was revealed Ågren was fined half her monthly salary — 70,000 Swedish crowns (AUD$10,728) — for revealing information that could impact national security.
Sweden’s Prime Minister Stefan Lövren, who has so far not publicly discussed the scandal, announced on Sunday that he will address the issue on Monday.
There are signs of a cover up. Rick Falkvinge, founder of Sweden’s Pirate Party, notes that Ågren’s departure followed a heavily redacted 250 page report from Sweden’s security police, SÄPO, on the issue.
“This event means that other people have been aware of the severity of the leaks for quite some time, and yet not done anything about them as they are still ongoing as of July 22, 2017,” he wrote.