In what is likely the most serious data breach of its kind, Sweden’s entire vehicle and license register was uploaded to cloud servers and emailed in plain text to marketers. More horrifying is the fact that register contains information on police and military vehicles as well as information on individuals in witness protection programs.
Swedish media reported the breach, with some stating that the Swedish Transport Authority handed over “the keys to the kingdom” to, well, everyone. The database even includes information on the weight capacity of all the roads and bridges in Sweden. This is a serious security risk. The “Type, model, weight, and any defects in all government and military vehicles, including their operator” has also been leaked.
According to The Hacker News, the names, photos and addresses of all members of the air force, the police, special forces and members of Sweden’s witness relocation program have been leaked. The “Type, model, weight, and any defects in all government and military vehicles, including their operator,” was also leaked, adds the report.
The Local reports that the breach can be traced to Maria Ågren, Director General of the Transport Agency, who was fired for “undisclosed reasons” in January the year. She was later fined 70,000 kronor (around Rs 5.5 lac) for being “careless with secret information,” which was the point at which media discovered and reported the data breach.
In a bid to cut down on expenditure, the Transport Authority, at Maria Ågren’s behest, apparently outsourced the management of the vehicle and license register to IBM in April 2015. The Authority was reportedly facing a severe cash crunch and was pressed for time; as a result, the contract was handed over to IBM without a proper security audit.
While the Swedish government has no issue with outsourcing IT security and data, it expects that a thorough security audit be done. In this case, an unknown number of Eastern European security professionals – including some in the Czech Republic — who did not have the proper clearance apparently handed the data.
The data was also uploaded to IBM’s cloud servers without a security audit of said servers. To top it off, The Hacker News reports that the Transport Authority itself mailed the entire database in plain text to marketers.
Sensitive databases are normally encrypted. In the event of a data breach, a hacker would still have to decrypt the database to extract useful data. For a properly secured database, this task should be virtually impossible. The fact that the database was emailed in plain text means that all the information contained in the database is readily accessible to anyone with access to the database.
Sweden’s security police unit Säpo is currently handling the investigation. The breach occurred in 2015, but wasn’t discovered until 2016. Reports suggest that it won’t be contained till later this year.
The extent of the Swedish data breach reveals the importance of securing all-encompassing databases like Aadhaar and even brings into questioning the necessity of maintaining a centralised database of this nature.