A decision in 2015 to outsource sensitive national data by the former head of Sweden’s Transport Agency, Maria Ågren, is emerging as a blunder of massive proportions, for which Ågren was only fined half a month’s salary.
Säpo, Sweden’s security police, reportedly began investigating the agency (Transportstyrelsen) after learning that a list of all vehicles in the country – along with owner information – was accidentally leaked in plain text to IT workers at a cloud location in Eastern Europe as part of an outsourcing effort with IBM.
The IT staff, who operated an IBM data center in Serbia, lacked security clearance to handle the data, which included police and military vehicle information, complete with the full names and addresses of their owners. Even witness protection program data was leaked.
The leak, per privateinternetaccess.com, included:
- Type, model, weight, and any defects of all government and military vehicles, even their operator
- The weight capacity of all roads and bridges (valuable in times of warfare)
- Names, photos and home addresses of fighter pilots
- Classified names, photos and home addresses in a police register
- Names, photos and home addresses of operators in the military’s most secret units
- Names, photos and home addresses of people in a witness relocation program
As the scandal unfolded, Ågren was fired, for undisclosed reasons, in January, and was fined 70,000 kronor, or half a month’s salary. Later, she was found guilty of being “careless with secret information.”
Describing the outsourcing without proper security checks, one Transport Agency staff member likened the move to handing over “the keys to the Kingdom,” according to an interview with Säpo.
Ågren, to her defense, reportedly said she had no other way but to bypass standard security measures if she was to complete the outsourcing effort as the Transport Agency was letting staff go in 2015.
The Säpo report makes no indication as to whether Sweden’s national security was compromised due to the leak.