IT security in Swedish agencies has been called into question after the emergence of a leak containing millions of Swedes’ driving licence data.
Säpo (Sweden’s security police) conducted an investigation into the Swedish transport agency Transportstyrelsen after the leak came to light. Vehicle data, including military and police, was made available to IT workers in Eastern Europe who had not been granted sufficient clearance to access data.
IT maintenance was outsourced to IBM in April 2015 as a cost-cutting measure, with full access to all data and logs granted to IBM administrators in the Czech Republic. A company in Serbia maintained all communications and firewalls.
In an interview with Säpo, one transport agency staff member accused those responsible for outsourcing without conducting security checks as “handing over the keys to the kingdom”.
Security expert Johan Wiktorin told Swedish newspaper Dagens Nyhetar:
The fact that a security check has not been made is serious. That means you have not tested the people’s loyalty and don’t know if you can trust them from the Swedish side. In the case of Serbia, there’s a fairly close relationship between the Serbian and Russian intelligence services. In the worst case, foreign intelligence services have been given an access route into the computer systems.
Prosecutor Ewamari Häggkvist told Swedish public radio:
I think it is serious that security protection is not taken seriously at so many government agencies, including the transport agency in this case. It is not forbidden in Sweden to place data services in other countries, even if you’re an authority that holds secret information. But what it’s about is that people need security clearance to handle such data, and that’s where they failed.
This isn’t the first time Transportstyrelsen has courted controversy. Maria Ågren, its former director general, was previously fined 70,000 krona (€7,270) when she was found guilty of being “careless with secret information”. In January 2017 she was removed from her position for undisclosed reasons.
Every organisation that processes EU residents’ personal data must be able to demonstrate its compliance with the General Data Protection Regulation (GDPR) by 25 May 2018. Failure to do so could bring fines of up to 4% of annual global turnover or €20 million – whichever is greater.
Accelerate your route to GDPR compliance
Organisations should not underestimate the length of time it will take to dismantle, recreate, adjust and amend their current data protection systems.
Accelerate your GDPR compliance implementation project with the market-leading EU GDPR Documentation Toolkit used by hundreds of organisations worldwide, now with significant improvements and new content for summer 2017.
With this toolkit you will receive:
- A complete set of easy-to-use and customisable documentation templates that will save you time and money, and ensure compliance with the GDPR;
- Easy-to-use dashboards and project tools to ensure complete coverage of the GDPR;
- Direction and guidance from expert GDPR practitioners; and
- Two licences for the IT Governance GDPR Staff Awareness Course.