Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Privacy Security Transportation IBM The Military

Sweden Accidentally Leaks Personal Details of Nearly All Citizens (thehackernews.com) 241

An anonymous reader quotes a report from The Hacker News: Swedish media is reporting of a massive data breach in the Swedish Transport Agency (Transportstyrelsen) after the agency mishandled an outsourcing deal with IBM, which led to the leak of the private data about every vehicle in the country, including those used by both police and military. The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military's most secretive units, police suspects, people under the witness relocation program, the weight capacity of all roads and bridges, and much more. The incident is believed to be one of the worst government information security disasters ever.

In 2015, the Swedish Transport Agency hand over IBM an IT maintenance contract to manage its databases and networks. However, the Swedish Transport Agency uploaded IBM's entire database onto cloud servers, which covered details on every vehicle in the country, including police and military registrations, and individuals on witness protection programs. The transport agency then emailed the entire database in messages to marketers that subscribe to it. And what's terrible is that the messages were sent in clear text. When the error was discovered, the transport agency merely thought of sending a new list in another email, asking the subscribers to delete the old list themselves.

This discussion has been archived. No new comments can be posted.

Sweden Accidentally Leaks Personal Details of Nearly All Citizens

Comments Filter:
  • by 93 Escort Wagon ( 326346 ) on Monday July 24, 2017 @04:04PM (#54869827)

    This story is more fun if, in your head, you read the summary using a Swedish accent.

  • Seriously? (Score:5, Insightful)

    by CustomSolvers2 ( 4118921 ) on Monday July 24, 2017 @04:08PM (#54869853) Homepage
    Some pretty descriptive quotes from the linked article:

    Swedish Transport Agency uploaded IBM's entire database onto cloud servers

    The transport agency then emailed the entire database in messages to marketers that subscribe to it.

    were sent in clear text

    error was discovered, the transport agency merely thought of sending a new list in another email, asking the subscribers to delete the old list

    every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation.

    One of the multiple questions coming to my mind after reading all this is: why are so different types of top-level secret information of a country being stored in the same database?!

    • Logically, with "being stored in the same database" I meant being managed together (1 database or 1000 doesn't matter).
    • My first thought as well. This is a warning to how much info government should have.
      Im surprised hospital and psychiatric records arent available.
      • I personally think that some of the released information like the one of people under witness relocation programs seems much more delicate than medical records.
        • They have no information on people on the witness protection program. But they have the drivers license database, and people in witness protection have drivers licenses so they are in there. So if you are looking for one of them you can search through the pictures until you find who you are looking for which is the problem.
          • They have no information on people on the witness protection program. But they have the drivers license database, and people in witness protection have drivers licenses

            Even by assuming that there is no clear indication about the fact of the given person being in a witness protection program, it seems pretty delicate stuff. One of the basic actions associated with dealing with a subset of highly protected individuals/data sources is to remove them from the common data sources/classifications. In any case, the linked article might be intentionally increasing its clickbaitness by implying issues (e.g., express mention of the given person being in a witness protection program

    • by Kjella ( 173770 )

      Well the database wouldn't have information about "fighter pilots, SEAL team operators, police suspects, people under witness relocation" but it would have information about people who happen to be those sorts of things. The Scandinavian countries and quite a few other European countries all have a unique "person ID" which essentially an SSN on steroids. Pretty much any official service or registry that needs to identify you uses that number, so does the bank (no anonymous accounts), the phone company (no a

      • It is entirely possible to buy a phone and a pay-as-you-go SIM using cash in Sweden. I did so when I first came here, when I as yet had no personal number.

      • It is entirely possible that the linked article unnecessarily blew everything out of proportion and relied on quite a few misinterpretation-prone expressions. I am not a Swede and cannot understand Swedish, that's why all my comments were written on the basic assumption that the provided information was right. What you are describing seems to provide a much more sensible context than what some parts of the article were implying.
    • by Flu ( 16236 )

      One of the multiple questions coming to my mind after reading all this is: why are so different types of top-level secret information of a country being stored in the same database?!

      Because of incompetence.

      The database didn't contain any marking of who's identities, military viecles and whereabouts where classified, or at least it was't removed prior to mailing. The top secret information of the infrastructure etc, are probably actually stored in a different, infrastructure-related database, but from a news point of view, that was never mentioned since it is of no importance how many different databases were leaked.

      • that was never mentioned since it is of no importance how many different databases were leaked.

        You mean different databases + in different locations + with different access levels, I presume. Many people here is complaining about the numerous problems in the information of the linked article, but nobody is providing a reliable enough alternative in English!

    • One of the multiple questions coming to my mind after reading all this is: why are so different types of top-level secret information of a country being stored in the same database?

      I'd say that chances are that they were not considered top-secret. Data that allows you to identify a person and find their address etc are generally not, even if it important to to the individual that the data are kept secret. Top-secret normally means that secrecy is important for the security of the nation.

      Another question worht asking is: how can you fit an entire database into an email? If it contains photos of several million people, it is going to be large. It doesn't sound plausible to me.

      • were not considered top-secret

        The linked article (by assuming that it is accurate, because many people here are saying that it is very misleading) talks about various issues which are certainly top-secret like names/addresses of people in witness protection/considered by police as classified or detailed information about military vehicles.

        how can you fit an entire database into an email?

        Emailing a database sounds actually kind of weird and using an expression like mailing records of a database would have been better. In any case, mailing a whole database is quite straightforward (by a

        • The linked article (by assuming that it is accurate, because many people here are saying that it is very misleading) talks about various issues which are certainly top-secret like names/addresses of people in witness protection/considered by police as classified or detailed information about military vehicles.

          I think you are using the term 'top-secret' in a different meaning than mine (which is not to imply that mine is right) - top-secret is usually reserved for state secrets, not for information like this, however important it may be for the individuals. Information about individuals under witness protection doesn't have the potential to compromise the security of the state, normally.

          In any case, mailing a whole database is quite straightforward...

          The point I was trying to get across was that almost any database you can think of is likely to be big - several GB, certainly i

          • top-secret is usually reserved for state secrets

            You are certainly right. I was using the expression pretty informally, by meaning highly classified information.

            The point I was trying to get across was that almost any database you can think of is likely to be big - several GB, certainly if it contains large numbers of images The images might be a problem, but just the kind of referred information might be stored in a relatively small size. By bearing in mind that Sweden is a pretty small country, storing all the text for the "delicate bits" (e.g., witness protection programs, classified by police, classified by army, etc.) shouldn't required a big size and seems easily "emailable". In something like 1 million rows and 10 columns you might store a lot and this doesn't occupy too much.

            • Related (kid-of-jokish) complaint: why is Slashdot locating the Preview and Submit buttons in exactly the same position? Some times, the site might respond a bit slower, you might want to just preview your first draft and, with a second click (because the first one didn't seem to go through), might submit it by accident!
  • by martiniturbide ( 1203660 ) on Monday July 24, 2017 @04:09PM (#54869855) Homepage Journal
    switch cars with your neighbors.
  • Russian spies just got accepted their requests for a couple of years of sabbatical, because there's no more work to do.

  • by tigersha ( 151319 ) on Monday July 24, 2017 @04:17PM (#54869931) Homepage

    > ..the transport agency then emailed the entire database in messages to marketers that subscribe to it.

    This sentence makes no sense. What did the marketers subscribe to? The top secret database??!! This must have been quite a large database, I doubt that you can attach and mail it. Who mailed what to whom?

    The whole article reads like something Google translate did on a day when the server was drunk or half asleep.

    • I think the problem -- in this case -- may not be with the journalist but with the excuses the government is providing.
    • "..the transport agency then emailed the entire database in messages to marketers that subscribe to it."

      This sentence makes no sense. What did the marketers subscribe to? The top secret database??!! This must have been quite a large database, I doubt that you can attach and mail it. Who mailed what to whom?

      The whole database WAS indeed leaked. In clear text. To former Soviet countries. And also by mail. As decided by a senior official(!).

      Most content of the DB is official data under the the freedom of information act (Offentlighetsprincipen), so it does make sense to supply that information to any commercial subscriber, such insurance companies etc., but from a military standpoint, this leak is the most severe leak since 1980's, when russian spy Stig Bergling stole enormous amounts of top secret informatio

  • I hope they can sue IBM / jail someone for this.

    • Why would you sue or jail IBM when it was the government agency itself that uploaded the database to a cloud server and then emailed it? It's in the fucking summary.

    • by Flu ( 16236 )

      I hope they can sue IBM / jail someone for this.

      It was Transportstyrelsen that simply pushed the timeline so they didn't have time to vet the persons with access to the database at IBM for security clearance. And I guess the IBM folks weren't informed that the database contained top secret information - because the officials at Transportstyrelsen didn't know that in the first place!

  • Funny this, yesterday, we were discussing the Norwegian story about how everybody has access to everyone else's income, and it's no big deal, since they have a sense of community & everyone trusts each other. Now, I know that Sweden is not Norway, but culturally, from what I understand, very similar. In which case, this accidental leak should be no issue at all, since all Scandinavians are perfectly honest people who wouldn't dream of even SCANNING other people's personal data, let alone steal from th

    • by uffe_nordholm ( 1187961 ) on Monday July 24, 2017 @05:14PM (#54870401)
      You are right in that Sweden and Norway are culturally very similar. But I think you are wrong about this leak.

      If the rest of the world can see details about every single driving licence ever issued in Sweden, I see no real harm. But this leak has (at least potentially) exposed things like which vehicles the secret army units have (and how many of them), who the Swedish combat pilots are and where they live, which roads and bridges can support which vehicle types (good to know when invading a country, so the road you drive on doesn't suddenly collapse under the load).

      Apart from a lot more discussion than is normal about a political issue in Sweden, the only real thing that has happened is that the director responsible for this has been fired and fined some three weeks worth of wages. My personal opinion is that she should have been tossed in prison and left to rot there, this leak may have damaged Sweden much more than all spies that have ever operated in Sweden in the past.

      My sources: a lot of reports in Swedish media.
      Full disclosure: I live in Sweden and am a Swedish native.
      • which roads and bridges can support which vehicle types (good to know when invading a country, so the road you drive on doesn't suddenly collapse under the load).

        This leads me to suspect that the weight limits posted on bridges, even allowing for some safety margin, are probably much lower than true capacity. By this, I mean that a small bridge marked "Weight limit 15,000 kg" might be able to support a 48,000 kg -14 .

        Maybe we will see teams of structural engineers armed with angle grinders weakening bridg

        • Should have read "a 48,000 kg T-14 Armata" in Cyrillic letters, but I didn't notice that they had been stripped.
      • Sweden has a military? Who are they defending against? I can see how it might have been useful in WWII or in the Thirty Years War, but today, much of Europe is demilitarized, and only 4 European countries (Russia, Ukraine, Belarus not included) pay 2% or more of their GDP on defense. Sweden's neighbors are Finland, Norway, and Denmark. None of those countries have plans to invade Sweden. Or do they?

        • For me as a Swede, it is utterly inconceivable that there would be war between Sweden and any of our immediate neighbours. Unfortunately the same can not be said about Russia: although we don't share a land border, we do have the Baltic Sea as a common body of water. Russia could launch an invasion from St Petersburg or the Kaliningrad enclave. Considering the amount of Russian *cough*volunteers*cough* that have taken time out of their regular army jobs to help in the Donbass conflict, I don't think Sweden
    • So this story is essentially much ado about nothing

      So while some 90% of the database is official, it DOES contain secret military information without any marking of that, or at least that wasn't removed prior to publishing the database.

      From a military perspective, this is the largest leak since the 1980's, when Russian spy Stig Bergling stole huge amounts of even more dangerous information, which basically forced a complete(!) re-organization of the whole military.

  • "When the error was discovered, the transport agency merely thought of sending a new list in another email, asking the subscribers to delete the old list themselves." Hey guys, yeah, could you just ignore that last email we sent? That would be great, thanks. I'm surprised they didn't just try an Exchange "recall message". Is this their actual policy for data leaks?
  • Does that include chest size for the women? We need to know!

  • Leak happened in 2015!

    Although the data breach happened in 2015, Swedish Secret Service discovered it in 2016 and started investigating the incident, which led to the fire of STA director-general Maria Ågren in January 2017.

    Holy shit. I have a hard time wrapping my head around how massive of a fuckup this is.

    Ågren was also fined half a month's pay (70,000 Swedish krona which equals to $8,500)

    Oh. Well hell, that ought to teach her.

    • Re:Old news? (Score:4, Interesting)

      by e5150 ( 938030 ) on Monday July 24, 2017 @05:43PM (#54870605)

      The crime she committed ("Recklessness with secret documents") carries a maximum penalty of one year in prison (BrB 19 kap. Â9). And altough I wouldn't mind seeing her spending some time behind bars, after having read (the redacted, non-juicy, parts of) the Secret service investigastion, I wouldn't really put the blame on her.
      The whole mess started before she was appointed director of the agency, she seems to basically have been brought in and told: "Sign these documents, otherwise the outsourcing is gonna be delayed even further".
      I would like to see a lot more heads roll before this story gets filed away.

    • Leak happened in 2015!

      Turning one sheet of paper every day, it takes some time for any information of the leaks to be published under the freedom of information act ("Offentlighetsprincipen"). If you're in a hurry. Otherwise, they'll only do it on Friday afternoons. If there's any spare time...

  • Why would a transport agency have any access to witness relocation data?

    • I mean witness protection.

    • by Flu ( 16236 )

      Why would a transport agency have any access to witness relocation data?

      Because of incompetence.

      Since the database is meant to contain information about who's got a driver's licence or own cars, they basically have contains every person's real address - including the ones in the witness protection programs, airforce pilots and others with secret identity. Problem is, the DB didn't contain markers about who's address is classified - or at least they weren't removed prior to the DB's publishing.

  • The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military's most secretive units, police suspects, people under the witness relocation program, the weight capacity of all roads and bridges, and much more.

    Oh yeah, and it also reveals the names of catholic priests, pedophiles, skull-fuckers, rapists, and community leaders. Which, as anyone knows, are all the same people. And fuck, they also reveal who knows about Area 51, alien invaders, and [enter your tinfoil here].

    In all seriousness though, wtf is the spin in TFS. It reads as if it was a national security issue, whereas TFS holds that it's about names, photos and home addresses. Not activity.

    Fuck you Slashdot editors. You're worthless.

    • by Flu ( 16236 )

      Oh yeah, and it also reveals the names of catholic priests, pedophiles, skull-fuckers, rapists, and community leaders. It reads as if it was a national security issue, whereas TFS holds that it's about names, photos and home addresses.

      Fuck you Slashdot editors. You're worthless.

      From a military standpoint, this leak IS indeed dangerous, since it basically tells any attacker what and whom (if just 30% of the fighter pilots are killed before any invasion, we're basically a sitting duck), so although I wish you weren't wrong, you are. The TFS has a lot more information than it ought to in its database, or at least, they did not remove top secret information prior to its publishing.

      The "funny" thing is that the officials confirm the database was leaked, "but any villain do not have t

  • ... right after I copy it to safe harbour.

  • Seriously, Russia had been trying to do this for a year, and then Sweden goes and does it for them.

    All those wasted hacker hours.

    Sigh.

  • "A government big enough to give you everything you want, is a government big enough to take away everything that you have."

    - Thomas Jefferson

    This should be a reminder that an omnipresent government like the Swedish government has some inherent risks.

  • The title says it was an "accident" which is incorrect. This was done with open eyes all the while security responsible protested and a lot of other IT people.

    The director ordered this outsourcing project to continue and give access to the IBM contractors before they had been given security clearance. IBM's personnel are located in different countries such as Serbia, Poland, etc. The access is (still) administrative access to databases and data shares.

    It's of course not just one big database but many. What'

  • Sound like BS to me.

    Where I work, emails are limited to 10MB in size. We have a n email application that allows for large file transfer, up to 150MB. I'm sure most governments and corporations have similar restrictions, or at least *some*.

    I'm not sure what size the Transportation database would be for an entire country, but I am thinking it would be large enough that no email system anywhere of any type is going to be very successful at moving it.

    What is more likely is that the data was on the cloud, and th

The cost of living is going up, and the chance of living is going down.

Working...