Sweden Accidentally Leaks Personal Details of Nearly All Citizens (thehackernews.com) 241
An anonymous reader quotes a report from The Hacker News: Swedish media is reporting of a massive data breach in the Swedish Transport Agency (Transportstyrelsen) after the agency mishandled an outsourcing deal with IBM, which led to the leak of the private data about every vehicle in the country, including those used by both police and military. The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military's most secretive units, police suspects, people under the witness relocation program, the weight capacity of all roads and bridges, and much more. The incident is believed to be one of the worst government information security disasters ever.
In 2015, the Swedish Transport Agency hand over IBM an IT maintenance contract to manage its databases and networks. However, the Swedish Transport Agency uploaded IBM's entire database onto cloud servers, which covered details on every vehicle in the country, including police and military registrations, and individuals on witness protection programs. The transport agency then emailed the entire database in messages to marketers that subscribe to it. And what's terrible is that the messages were sent in clear text. When the error was discovered, the transport agency merely thought of sending a new list in another email, asking the subscribers to delete the old list themselves.
In 2015, the Swedish Transport Agency hand over IBM an IT maintenance contract to manage its databases and networks. However, the Swedish Transport Agency uploaded IBM's entire database onto cloud servers, which covered details on every vehicle in the country, including police and military registrations, and individuals on witness protection programs. The transport agency then emailed the entire database in messages to marketers that subscribe to it. And what's terrible is that the messages were sent in clear text. When the error was discovered, the transport agency merely thought of sending a new list in another email, asking the subscribers to delete the old list themselves.
Helpful tip (Score:3)
This story is more fun if, in your head, you read the summary using a Swedish accent.
Re:Helpful tip (Score:4, Funny)
Re:Helpful tip (Score:4, Funny)
See the løveli lakes
The wonderful telephøne system
And mani interesting furry animals
Including the majestic møøse.
Re: (Score:2)
You both use the Norwegian and Danish ö, not the Swedish one.
Re: (Score:3, Funny)
You, on the other hand, don't recognize Monty Python references. :-)
Re: (Score:2, Funny)
A møøse once bit my sister.
Comment removed (Score:5, Insightful)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
There's benefits to having everything in one place in terms of performance and data deduplication.. for example, if they had military and driving and health records in three different databases -- that means 3 different copies of a person's name and likely 3 different copies of their address and other "standard" information. That means 3 places it can be screwed up by a clerk mistyping or whatever, and 3 places that need to be updated whenever a person moves or changes their name (direct name changes aren'
Re: (Score:2)
Sweden has become such a US corporate
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Privacy protections on existing databases?
Re: (Score:2)
Re: (Score:2)
Re: Seriously? (Score:2)
Im surprised hospital and psychiatric records arent available.
Re: (Score:2)
Re: Seriously? (Score:3)
Re: (Score:2)
Re: (Score:3)
Well the database wouldn't have information about "fighter pilots, SEAL team operators, police suspects, people under witness relocation" but it would have information about people who happen to be those sorts of things. The Scandinavian countries and quite a few other European countries all have a unique "person ID" which essentially an SSN on steroids. Pretty much any official service or registry that needs to identify you uses that number, so does the bank (no anonymous accounts), the phone company (no a
Re: (Score:2)
It is entirely possible to buy a phone and a pay-as-you-go SIM using cash in Sweden. I did so when I first came here, when I as yet had no personal number.
Re: (Score:2)
Re: (Score:2)
One of the multiple questions coming to my mind after reading all this is: why are so different types of top-level secret information of a country being stored in the same database?!
Because of incompetence.
The database didn't contain any marking of who's identities, military viecles and whereabouts where classified, or at least it was't removed prior to mailing. The top secret information of the infrastructure etc, are probably actually stored in a different, infrastructure-related database, but from a news point of view, that was never mentioned since it is of no importance how many different databases were leaked.
Re: (Score:2)
Re: (Score:2)
One of the multiple questions coming to my mind after reading all this is: why are so different types of top-level secret information of a country being stored in the same database?
I'd say that chances are that they were not considered top-secret. Data that allows you to identify a person and find their address etc are generally not, even if it important to to the individual that the data are kept secret. Top-secret normally means that secrecy is important for the security of the nation.
Another question worht asking is: how can you fit an entire database into an email? If it contains photos of several million people, it is going to be large. It doesn't sound plausible to me.
Re: (Score:2)
Re: (Score:2)
The linked article (by assuming that it is accurate, because many people here are saying that it is very misleading) talks about various issues which are certainly top-secret like names/addresses of people in witness protection/considered by police as classified or detailed information about military vehicles.
I think you are using the term 'top-secret' in a different meaning than mine (which is not to imply that mine is right) - top-secret is usually reserved for state secrets, not for information like this, however important it may be for the individuals. Information about individuals under witness protection doesn't have the potential to compromise the security of the state, normally.
In any case, mailing a whole database is quite straightforward...
The point I was trying to get across was that almost any database you can think of is likely to be big - several GB, certainly i
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Everybody in Sweden!!!....fast... (Score:4, Interesting)
Re: (Score:2)
--GMTA :) Although I was thinking "houses"... ;-)
Nice (Score:2)
Russian spies just got accepted their requests for a couple of years of sabbatical, because there's no more work to do.
Marketers subscribe (Score:5, Insightful)
> ..the transport agency then emailed the entire database in messages to marketers that subscribe to it.
This sentence makes no sense. What did the marketers subscribe to? The top secret database??!! This must have been quite a large database, I doubt that you can attach and mail it. Who mailed what to whom?
The whole article reads like something Google translate did on a day when the server was drunk or half asleep.
Re: (Score:2)
Unfortunately, the story's completely true :-( (Score:2)
"..the transport agency then emailed the entire database in messages to marketers that subscribe to it."
This sentence makes no sense. What did the marketers subscribe to? The top secret database??!! This must have been quite a large database, I doubt that you can attach and mail it. Who mailed what to whom?
The whole database WAS indeed leaked. In clear text. To former Soviet countries. And also by mail. As decided by a senior official(!).
Most content of the DB is official data under the the freedom of information act (Offentlighetsprincipen), so it does make sense to supply that information to any commercial subscriber, such insurance companies etc., but from a military standpoint, this leak is the most severe leak since 1980's, when russian spy Stig Bergling stole enormous amounts of top secret informatio
I hope they can sue IBM / jail someone (Score:2)
I hope they can sue IBM / jail someone for this.
Re: (Score:2)
Why would you sue or jail IBM when it was the government agency itself that uploaded the database to a cloud server and then emailed it? It's in the fucking summary.
Re: (Score:2)
I hope they can sue IBM / jail someone for this.
It was Transportstyrelsen that simply pushed the timeline so they didn't have time to vet the persons with access to the database at IBM for security clearance. And I guess the IBM folks weren't informed that the database contained top secret information - because the officials at Transportstyrelsen didn't know that in the first place!
Shouldn't matter to Swedes, since... (Score:2)
Funny this, yesterday, we were discussing the Norwegian story about how everybody has access to everyone else's income, and it's no big deal, since they have a sense of community & everyone trusts each other. Now, I know that Sweden is not Norway, but culturally, from what I understand, very similar. In which case, this accidental leak should be no issue at all, since all Scandinavians are perfectly honest people who wouldn't dream of even SCANNING other people's personal data, let alone steal from th
Re:Shouldn't matter to Swedes, since... (Score:4, Interesting)
If the rest of the world can see details about every single driving licence ever issued in Sweden, I see no real harm. But this leak has (at least potentially) exposed things like which vehicles the secret army units have (and how many of them), who the Swedish combat pilots are and where they live, which roads and bridges can support which vehicle types (good to know when invading a country, so the road you drive on doesn't suddenly collapse under the load).
Apart from a lot more discussion than is normal about a political issue in Sweden, the only real thing that has happened is that the director responsible for this has been fired and fined some three weeks worth of wages. My personal opinion is that she should have been tossed in prison and left to rot there, this leak may have damaged Sweden much more than all spies that have ever operated in Sweden in the past.
My sources: a lot of reports in Swedish media.
Full disclosure: I live in Sweden and am a Swedish native.
Re: (Score:2)
This leads me to suspect that the weight limits posted on bridges, even allowing for some safety margin, are probably much lower than true capacity. By this, I mean that a small bridge marked "Weight limit 15,000 kg" might be able to support a 48,000 kg -14 .
Maybe we will see teams of structural engineers armed with angle grinders weakening bridg
Re: (Score:2)
Re: (Score:2)
Sweden has a military? Who are they defending against? I can see how it might have been useful in WWII or in the Thirty Years War, but today, much of Europe is demilitarized, and only 4 European countries (Russia, Ukraine, Belarus not included) pay 2% or more of their GDP on defense. Sweden's neighbors are Finland, Norway, and Denmark. None of those countries have plans to invade Sweden. Or do they?
Re: (Score:2)
It contains top secret information (Score:3)
So this story is essentially much ado about nothing
So while some 90% of the database is official, it DOES contain secret military information without any marking of that, or at least that wasn't removed prior to publishing the database.
From a military perspective, this is the largest leak since the 1980's, when Russian spy Stig Bergling stole huge amounts of even more dangerous information, which basically forced a complete(!) re-organization of the whole military.
Best incident response policy ever! (Score:2)
Sweden, eh? (Score:2)
Does that include chest size for the women? We need to know!
Old news? (Score:2)
Although the data breach happened in 2015, Swedish Secret Service discovered it in 2016 and started investigating the incident, which led to the fire of STA director-general Maria Ågren in January 2017.
Holy shit. I have a hard time wrapping my head around how massive of a fuckup this is.
Ågren was also fined half a month's pay (70,000 Swedish krona which equals to $8,500)
Oh. Well hell, that ought to teach her.
Re:Old news? (Score:4, Interesting)
The crime she committed ("Recklessness with secret documents") carries a maximum penalty of one year in prison (BrB 19 kap. Â9). And altough I wouldn't mind seeing her spending some time behind bars, after having read (the redacted, non-juicy, parts of) the Secret service investigastion, I wouldn't really put the blame on her.
The whole mess started before she was appointed director of the agency, she seems to basically have been brought in and told: "Sign these documents, otherwise the outsourcing is gonna be delayed even further".
I would like to see a lot more heads roll before this story gets filed away.
Probably not made official until now (Score:2)
Leak happened in 2015!
Turning one sheet of paper every day, it takes some time for any information of the leaks to be published under the freedom of information act ("Offentlighetsprincipen"). If you're in a hurry. Otherwise, they'll only do it on Friday afternoons. If there's any spare time...
Witness relocation (Score:2)
Why would a transport agency have any access to witness relocation data?
Re: Witness relocation (Score:2)
I mean witness protection.
Re: (Score:2)
Why would a transport agency have any access to witness relocation data?
Because of incompetence.
Since the database is meant to contain information about who's got a driver's licence or own cars, they basically have contains every person's real address - including the ones in the witness protection programs, airforce pilots and others with secret identity. Problem is, the DB didn't contain markers about who's address is classified - or at least they weren't removed prior to the DB's publishing.
Wtf is this spin? (Score:2)
The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military's most secretive units, police suspects, people under the witness relocation program, the weight capacity of all roads and bridges, and much more.
Oh yeah, and it also reveals the names of catholic priests, pedophiles, skull-fuckers, rapists, and community leaders. Which, as anyone knows, are all the same people. And fuck, they also reveal who knows about Area 51, alien invaders, and [enter your tinfoil here].
In all seriousness though, wtf is the spin in TFS. It reads as if it was a national security issue, whereas TFS holds that it's about names, photos and home addresses. Not activity.
Fuck you Slashdot editors. You're worthless.
Re: (Score:2)
Oh yeah, and it also reveals the names of catholic priests, pedophiles, skull-fuckers, rapists, and community leaders. It reads as if it was a national security issue, whereas TFS holds that it's about names, photos and home addresses.
Fuck you Slashdot editors. You're worthless.
From a military standpoint, this leak IS indeed dangerous, since it basically tells any attacker what and whom (if just 30% of the fighter pilots are killed before any invasion, we're basically a sitting duck), so although I wish you weren't wrong, you are. The TFS has a lot more information than it ought to in its database, or at least, they did not remove top secret information prior to its publishing.
The "funny" thing is that the officials confirm the database was leaked, "but any villain do not have t
I'll delete it ... (Score:2)
... right after I copy it to safe harbour.
A year of work by the GRU down the drain (Score:2)
Seriously, Russia had been trying to do this for a year, and then Sweden goes and does it for them.
All those wasted hacker hours.
Sigh.
Thomas Jefferson said it... (Score:2)
"A government big enough to give you everything you want, is a government big enough to take away everything that you have."
- Thomas Jefferson
This should be a reminder that an omnipresent government like the Swedish government has some inherent risks.
Not an accident (Score:2)
The title says it was an "accident" which is incorrect. This was done with open eyes all the while security responsible protested and a lot of other IT people.
The director ordered this outsourcing project to continue and give access to the IBM contractors before they had been given security clearance. IBM's personnel are located in different countries such as Serbia, Poland, etc. The access is (still) administrative access to databases and data shares.
It's of course not just one big database but many. What'
emailed the entire database? (Score:2)
Sound like BS to me.
Where I work, emails are limited to 10MB in size. We have a n email application that allows for large file transfer, up to 150MB. I'm sure most governments and corporations have similar restrictions, or at least *some*.
I'm not sure what size the Transportation database would be for an entire country, but I am thinking it would be large enough that no email system anywhere of any type is going to be very successful at moving it.
What is more likely is that the data was on the cloud, and th
Re: (Score:2)
Um...according to TFA it WAS a corporation (IBM) that coughed up the data.
Re: (Score:2)
Nowhere in TFA does it say IBM coughed up the data. It specifically says the government did it.
Re:This is why the US need a smaller government... (Score:4, Insightful)
When the government screws up, you're stuck with it (short of revolution). In fact the way a lot of government union employment contracts are structured, you can't even fire the people responsible for the screwup.
I've never bought into the claim that all government is good and all corporations bad. Nor have I bought into the claim that all corporations are good and all government is bad. Both can do good things, both can do bad things. The trick is figuring out which things one tends to do better than the other, and giving the job to the more capable entity.
Re:This is why the US need a smaller government... (Score:4, Interesting)
You can sue the government in many democracies. Not sure if Sweden is one of those places, but its certainly not something you can arbitrarily claim without looking into it. (Whether its useful to sue the government is another question of course..)
and giving the job to the more capable entity
Unfortunately neither organization has mastered preventing human error, so while you're not incorrect.. your statement is rather irrelevant to "someone f'd up," no matter how big an f they upped.
Re: (Score:3)
You can sue the government in many democracies.
I.e., you can sue yourself, the taxpayer. How would anyone in Sweden receive remedy given that every Swede was affected? You would have to tax each citizen the exact cost of the judgement they receive or else reallocate money from their public services.
Unfortunately neither organization has mastered preventing human error,
Government seems to think that punishing 'human error' is a great way to prevent it -- provided we are talking about citizens acting privately. If I make the human error of not noticing a change in speed limit the government is happy to fine me and possibly
Re:This is why the US need a smaller government... (Score:4, Insightful)
When the government screws up, you're stuck with it (short of revolution).
I don't know where you live but around here we have these things called elections which let us change governments without all the shooting, rioting and deaths of a typical revolution. You should try them, they aren't fantastic but they are a lot better than the alternative.
Re: (Score:2)
The discussions now are whether the ministers, that were notified by the director-general that the agency intended to ignore the laws by fore-going the backgrund checks but took no actions, will have to go.
I think you mean forgoing, unless you mean they preceded the background checks?
Re: (Score:2)
This is why the US need a smaller government...
How would a smaller government in the US mitigate a problem in Sweden?
Re: (Score:2)
Says a dude that is morbidly obese even while supposedly on a low-calorie, low-carb diet.
A smaller government obviously requires skinnier people. Check out my blog post where I lost ten pounds in ten weeks [kickingthebitbucket.com] after getting the Greater Goods Basic Bathroom Scale [amzn.to] for $20 to accurately measure my weight when the gym scales stopped thunking at 350 pounds.
Re: (Score:2)
Classy with the affiliate link there, that wasn't at all transparently motivated.
Re: (Score:2)
It took you 10 weeks to lose 10 lbs? And you're bragging?!
According to coworker who is a martial arts expert, losing a pound per week is a sustainable over the long term.
dedication porn (Score:2)
Yes, so long as you aren't simultaneously sustaining any other thing. Like a day job.
I'm joking just a bit, but the word "sustain" is commonly abused in exactly this way.
Weakly sustainable: when just this one thing can be sustained.
Strongly sustainable: a member of the set such that all strongly sustainable things can be sustained at the same time without surpassing the labours of Hercules.
Whenev
Re: (Score:2)
[...] have you ever given one hour notice at work, and then set foot in Tibet the very next day?
As an IT Support contractor, I started a job the same day with a four-hour notice (took that long to fill out, notarized and fax the HR paperwork). That has more to do with me being a miracle worker than my weight.
Re: (Score:2)
i'm down 13 pounds over 5 weeks, but that appears to be mostly water weight.
cut out wheat and milk altogether, and i think i'm on a 700-800 calorie deficit, other than that, haven't changed much.
Re: (Score:2)
You have a reference to a more secure source?
https://www.cdc.gov/healthyweight/losing_weight/index.html [cdc.gov]
It's natural for anyone trying to lose weight to want to lose it very quickly. But evidence shows that people who lose weight gradually and steadily (about 1 to 2 pounds per week) are more successful at keeping weight off. Healthy weight loss isn't just about a "diet" or "program". It's about an ongoing lifestyle that includes long-term changes in daily eating and exercise habits.
Re: (Score:2)
So you're doing the bare minimum and think it's bragworthy?
Yes. Now bitch about something else.
Re:This is why the US need a smaller government... (Score:5, Insightful)
$#@! 'em. And good on you for finding something that tilts the tide and sticking to it. Any idiot can get fast, satisfying results for a little while - it takes determination and vision to accept that what took years to put on will take years to take off. Best of luck in maintaining your vision and embracing your needed lifestyle changes.
An old friend of mine had a sailing metaphor philosophy on life - as long as you can keep trending in the right direction you'll get where you want to go. The important thing is to keep your hand on the wheel and not let yourself get discouraged when you occasionally get blown off course.
Re: (Score:2)
When you're fat and just starting out, you can lose 10 pounds in a week.
If you're a butterball, which I haven't been in 30 years. I rode a bike for 20 years and worked out at the gym for the last ten years. I carry more muscle than fat.
I guess what I'm saying is, a 375 pound man losing 10 pounds in 10 weeks isn't statistically significant enough to imagine a larger trend.
Check back in January when my weight is 325 or so. That was my lowest adult weight when I rode a bike to work for 100 miles per week for three years.
Re: (Score:2)
This is why we need to tear down Hoover Dam and abandon hydroelectric power.
Have you been to Hoover Dam in recently? I was there in 2013. The water level has dropped substantially due to global warming. If the water level continues to drop, there won't be enough water to run the turbines.
IDENTITY THEFT! (Score:2)
Jag Ãr Brian och sa Ãr min fru!
once again, slashdot continues to FAIL IT with unicode
Re: This is why the US need a smaller government.. (Score:4, Informative)
Not really, no. The water levels are low for reasons other than global warming. The aquifer is nearly depleted due to overuse and drought. None of those is directly related to climate change. The depletion is definitely due to humans, however. The river should also be fed be aquifer. It isn't. We used the water to grow food and lawns.
Re: (Score:2)
...or a personal website that exposes every detail of your life going back to childhood, huh Tubby?
The personal website that got 60+ visitors today because of this comment shit storm? Keep up the good job! ;)
Re: (Score:2)
You have a very low bar for a "good job".
For today's Slashdot, 30+ per day is normal. Ten years ago, 300+ per day was normal. In 1999, 3,000+ was normal and I would worry about the server crashing.
Re: (Score:2)
Well, let me introduce you to a concept; failing gracefully. This means your server should be stress tested and fine tuned to insure it never crashes, just stop accepting requests when the load is too high or whatever, there is multiple way to achieve the goal. A server that crashes under load is misconfigured.
Re: (Score:2)
Well, let me introduce you to a concept; failing gracefully.
Back in 1999, servers just crash and most were misconfigured anyway.
Re: (Score:3)
I always wondered what the GNAA trolls would do when they grew older. So this is what you've sunk to.
Re: (Score:2)
Re: (Score:3)
Tell that to Tim Pool [youtube.com], because [youtu.be] he experienced [youtu.be] them first hand. [youtu.be] Don't know who he is? He's an independent journalist that flies all over the place to where the stories are. The most recent case where a german journalist decided to dox him [youtu.be], and then handed all of his info to a german antifa group who then tried to attack him and another group of independent journalists.
There were "friends" who told him not to report on those no-go zones because they didn't want him to for ideological reasons. They want to
Re: (Score:2)
Nonsense,
The future is the issue, not the cloud.
Re: (Score:3)
Thanks! That sure was one sloppy /. post! Fortunately, the Swedish Wikipedia article does present a clear picture: the Swedish department of transportation outsourced its I.T. operation, which resulted in foreign technicians with (obviously) no Swedish security clearance to have complete access to a large amount of sensitive information.
Sure, those in charge of security had opposed the outsourcing, but the leadership could not resist the lure of all that taxpayers’ money that would be saved out of the
APK = Full of Fail (Score:2)
Hate to spoil your narrative, but I'm not from Sweden.
Re:I see how it is (Score:5, Informative)
Even worse - the responsible people were told that the transfer was even an illegal move by the internal revision people of that department but they moved ahead anyway. Responsible ministers kept silent and didn't even inform the prime minister of this.
Nothing less than a public flogging would be suitable.
Re: (Score:2)
Don't blame Sweden (Score:4, Funny)
Don't blame Sweden, they thought the cloud was wearing a condom.