Sweden leaked confidential data to IBM in outsourcing deal

The historical leak was only made public this week, and involved 'protected identities'

Sweden's government inadvertently leaked details of its citizens, as well as confidential data, in an outsourcing deal with IBM.

The leak occurred when the Swedish Transport Agency outsourced its hardware, networking and applications services to IBM Sweden in 2015, but details of the breach have only now emerged.

IBM, which is not believed to have been at fault, declined to comment.

Advertisement - Article continues below

The agency's then-director general, Maria gren, decided "to deviate" from the Security Act, the Personal Data Act and the Publicity and Privacy Act as well as the authority's own guidelines for information security requirements, the Swedish government said in a Swedish FAQ (the Transport Agency has since issued an English language statement).

That deviation involved choosing not to subject IBM's operations technicians to security background checks, meaning they viewed the data without security clearance.

She left the role in January, and was fined $8,500 for "carelessness with secret information, but without intent".

Her replacement, Jonas Bjelfvenstam, said: "The authority handles crucial information which affects citizens, companies and other authorities, and it is my firm belief that we, in every situation, must comply with the laws and regulations applicable to the authority's work. Nothing else is acceptable. We take the criticism against the Swedish Transport Agency very seriously. And we would also like to make it clear that we have no indications that data was disseminated improperly." 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Swedish prime minister Stefan Lovfen was quoted in the Financial Times as saying: "What happened in the transport agency is a disaster. It is extremely serious. It has exposed both Sweden and Swedish citizens to risk."

Media reports suggested that military vehicle details and information about people in witness protection programmes was among the data. Sweden's government said no military vehicle details were included, though vehicles registered to civilians were. The Transport Agency has also said there is no evidence that the data was leaked beyond IBM's technicians. 

It did admit it included those with protected identities, but added: "We have no indications indicating that data was disseminated improperly, so we do not see any direct cause for concern."

Swedish news website The Local reported that IBM administrators in the Czech Republic had full access to the information while firewalls and communications were maintained by a company in Serbia, but the Transport Agency said that all data has remained in Sweden "all the time".

Advertisement - Article continues below

Other reports in the Swedish press, such as an article from Dagens Nyheter, have claimed that information such as databases containing criminal records were available to the IT workers.

The agency estimates that the issue will not be resolved until autumn, when personnel handling the "administration of application management" will have had background checks.

This article was updated on 27 July 2017 with more information from the Transport Agency.

Image source: Bigstock

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Recommended

Visit/security/data-breaches/355056/vpnmentors-web-mapping-project-finds-more-exposed-military-files-via
data breaches

Printing company exposes 343GB of sensitive military data

20 Mar 2020
Visit/security/privacy/355048/government-may-trace-covid-19-patients-using-mobile-phone-data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354842/irish-data-regulator-racks-up
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020
Visit/data-insights/data-management/354423/eu-us-data-transfer-tools-used-by-facebook-ruled-legal
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Most Popular

Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/mobile/mobile-phones/355088/apple-lifts-iphone-purchase-restrictions
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020