Posted on Jul 21, 2017 by Rick Falkvinge

Worst known governmental leak ever is slowly coming to light: Agency moved nation’s secret data to “The Cloud”

Sweden’s Transport Agency moved all of its data to “the cloud”, apparently unaware that there is no cloud, only somebody else’s computer. In doing so, it exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation. Names, photos, and home addresses: the list is just getting started. The responsible director has been found guilty in criminal court of the whole affair, and sentenced to the harshest sentence ever seen in Swedish government: she was docked half a month’s paycheck.




Many governments have had partial leaks in terms of method (Snowden) or relations (Manning) lately, but this is the first time I’m aware that the full treasure chest of every single top-secret governmental individual with photo, name, and home address has leaked. It goes to show, again, that governments can’t even keep their most secret data under wraps — so any governmental assurances to keep your data safe have as much value as a truckload of dead rats in a tampon factory.

It started out with a very speedy trial where a Director General in Sweden was fined half a month’s pay. Given how much the establishment has got each other’s backs, this sentence was roughly equivalent to life in prison for a common person on the street, meaning they must have done something really awful to get not just a guilty verdict, but actually be fined half a month’s salary.

On digging, it turns out the Swedish Transport Agency moved all its data to “the cloud”, as managed by IBM, two years ago. Something was found amiss when the Director General of the Transport Agency, Maria Ågren, was quickly retired from her position this January — but it was only on July 6 that it became known that she was found guilty of exposing classified information in a criminal court of law. The scandal quickly escalated from there.

There’s an enormous amount of data in Swedish about the overall leak scandal, but among all that data, one piece bears mentioning just to highlight the generally sloppy, negligent, and indeed criminal, attitude toward sensitive information:

Last March, the entire register of vehicles was sent to marketers subscribing to it. This is normal in itself, as the vehicle register is public information, and therefore subject to Freedom-of-Information excerpts. What was not normal were two things: first, that people in the witness protection program and similar programs were included in the register distributed outside the Agency, and second, when this fatal mistake was discovered, a new version without the sensitive identities was not distributed with instructions to destroy the old copy. Instead, the sensitive identities were pointed out and named in a second distribution with a request for all subscribers to remove these records themselves. This took place in open cleartext e-mail.

Take this incident and scale it up to everyday behavior at a whole agency with key responsibility for safeguarding national secrets.

At present, these databases are known to have been exposed, by moving them to “The Cloud” as if it were just a random buzzword:

The weight capacity of all roads and bridges (which is crucial for warfare, and says a lot about what roads are intended to be used as wartime airfields);

Names, photos, and home addresses of fighter pilots in the Air Force;

Names, photos, and home addresses of everybody and anybody in a police register, all of which are classified;

Names, photos, and home addresses of all operators in the military’s most secret units – equivalent to the SAS or SEAL teams;

Names, photos, and home addresses of everybody in a witness relocation program or who has been given protected identity for other reasons;

Type, model, weight, and any defects of any and all government and military vehicles, including their operator, which says a ton about the structure of military support units;

the list goes on.

All of this was not just outside the proper agencies, but outside the European Union, in the hands of people who had absolutely no security clearance. All of this data can be expected to have been permanently exposed.

Let’s be clear: if a common mortal had leaked this data through this kind of negligence, the penalty would be life in prison. But not when done by the government themselves. Half a month’s pay was the harshest conceivable sentence.

The leak is still ongoing (!!) and can be expected to be fixed “maybe this fall, perhaps”. Much of the available analysis of the leak is still in the form of fully-redacted documents from the Security Police and similar agencies.

Privacy really really really remains your own responsibility.

Also read the followup article with more, and worse, information: How the Swedish government leaked the secure EU Intranet to Russia, and tried glossing it over.

About Rick Falkvinge

Rick is Head of Privacy at Private Internet Access. He is also the founder of the first Pirate Party and is a political evangelist, traveling around Europe and the world to talk and write about ideas of a sensible information policy. Additionally, he has a tech entrepreneur background and loves good whisky and fast motorcycles.


VPN Service

Leave a Reply to Captain Obvious Cancel reply

Your email address will not be published. Required fields are marked *

24 Comments

  1. Retromash

    This shows negligence on so many levels.

    4 months ago
    Reply
    1. makapav

      Corruption.

      4 months ago
      Reply
      1. Steve in CHGO

        Corruption means they personally benefited (eg, financially) from their action, so NOT corruption.

        2 months ago
        Reply
  2. 48

    Sweden’s Transport Agency moved all of its data to “my butt”, apparently
    unaware that there is no butt, only somebody else’s computer.

    4 months ago
    Reply
    1. George van den Driessche

      Clbuttic

      4 months ago
      Reply
  3. varjag

    Thank you for writing about this, the swedish state television and mass media except a few newspapers is trying to reduce this to nothing. I hope this become big news world wide, our country is ruined, these politicians should get life in prison for treason.

    4 months ago
    Reply
  4. novictim

    Sweden is so Cucked! How do these people look themselves in the mirror?

    4 months ago
    Reply
    1. Kettils Mjöd!

      SD is the only political party that cares about sweden and its future for real.

      4 months ago
      Reply
      1. Oleans

        Yeah, for sure. Fascist parties are known for their strong commitment to privacy and civil liberties. Especially when they are in power. So what about these unicorns?

        4 months ago
        Reply
        1. lcronos

          Only fascists are already in power. As an American it’s quite clear that SD is nowhere near fascist. They’re center at most, Sweden doesn’t have a real far right party.

          4 months ago
          Reply
    2. fluxtatic

      Maybe it’s different in Sweden, but in the US, it’s the right-wing that pushes hardest for no privacy and preaches, “if you don’t have anything to hide, you don’t have anything to worry about”, making it crystal clear they’ve never read the Constitution.

      4 months ago
      Reply
      1. lcronos

        You didn’t pay any attention during Obama’s administration did you? In the US *BOTH* parties are guilty of this. It’s not a partisan issue at all. Obama expanded government surveillance at least as much as Bush did. Do you not remember all the NSA scandals?

        4 months ago
        Reply
    3. Captain Obvious

      Nothing quite says “I can’t get laid to save my life” like using the word “cuck”.

      4 months ago
      Reply
      1. novictim

        Trust me! Your Mama still puts out.

        4 months ago
        Reply
  5. Kettils Mjöd!

    Swede here, Our primeminister hides like a coward and refuses to say something! Our government throw away the key to our safety and should all be in jail!
    Whats funny is that our so called oppositionen have had all the chance to form a new government but they have to get help from the only sane political party here The nationalist swedendemocrats which is hated by them.

    It is time to act and the only political party that can be trusted is them, I would not hope too much that something is going to happen since our scumbag corrupt politicians and journalists always gets away with this kind of shit and put the blame on others but they have to pay for their crimes against their people and kingdom!

    Idiots here is more worried about SwedenDemocrats than those that is actually destroying our country! They blame SwedenDemocrats for everything because they are so brainwashed by the media and government which is doing everything to stay in power!

    It is sad but funny that our primeminister warned us and said we need to strengthen our security and be protected from foreign forces such as Russia from influencing the coming election and all politicians pretty much lies about SwedenDemocrats and think they have a connection to Russia. …

    4 months ago
    Reply
  6. surretull

    Well, this is what happens when you put capex oriented, penny-pinching bureaucrats in a position to make decisions that has real consequences on say, national security: They follow their program, optimize on capex (by putting services in the cloud, in itself a sensible thing), then they treat everything else as externalities; things that are not important for the next bonus, so no or inadequate funding is spent on risk assessment and mitigation is ignored, since it’s not mentioned in the bonus terms and hence ignoring them has no real cost for the bonus recipients.

    When the mission is accomplished, collect bonus and move on to next assignment, increase salary, and let someone else
    ™ clean up the mess. Rinse & repeat.

    4 months ago
    Reply
  7. Klaus

    I noticed that the responsible person was a woman.
    And in Sweden.
    .
    Say no more, say no more, nudge nudge…

    4 months ago
    Reply
    1. George Sanchez

      misoginist scum

      4 months ago
      Reply
  8. Neil Dudman

    Its as if useful idiots have been put in place to compromise the security of the nation state. Docking of month salary is an insult. Sounds much like the leaked of espionarge by israel from americal. Take a look at Brendon O’Connell on youtube very interest analysys of world politics and the part espionarge or leaking of security sensitve info has.

    4 months ago
    Reply
  9. DonTurnblade

    It is strangely comforting that I am not the only one to notice the double standards with justice when it comes to devastating data breaches.

    4 months ago
    Reply
  10. AngryNotSoOldHippy .

    Ha! Another dumbfuck agency which does not understand what “the cloud” means managed to release information on every person under witness protection status to “just anybody,” including information held in “the cloud” generated by Sweden’s military and intelligence agencies.

    Woops! But to make matters worse, the dumbfucks did not recall the first release containing secrets, instead they issued a request that people delete the “following list of inadvertently released information” then went on to LIST THE SECRET INFORMATION AGAIN! that they wanted people to delete.

    Derp!

    4 months ago
    Reply
  11. OllieJones

    Their vendor was IBM. There MUST be a backstory about whether IBM had any influence on the technical missteps that led to the security breach.

    A large organization, such as a sovereign government, might choose to retain a well-known vendor with a deep technical bench in order to avoid the obvious missteps, and deep pockets to assume some liability for errors and omissions.

    Did the transport ministry just sign up for a “cloud” account online and pay with a visa card? Or did they work with the vendor to plan security and migration?

    Mr. Falkvinge, if you know anything about the vendor situation here I hope you will write another news story.

    In the meantime, maybe the government should engage Troy Hunt and/or Bruce Schneier to educate them on threat assessment, mitigation, and incident response.

    (I’ve worked in health care IT in the US, and I would expect a stiff fine and a jail term if I were responsible for such leaks.)

    3 months ago
    Reply
    1. Wayne

      The IBM of today is sadly not the storied IBM of yesteryear. They are now more than capable of screwups like this. Whenever management talks about putting information “in the cloud”, I argue vociferously against it, and I pretty much invariably lose.

      One of my favorite IBM stories was my community college where I first started studying computer programming in the ’70s. They approached numerous computer vendors with requests for information to buy systems. Every vendor sent them information about their systems. IBM sent them the full set of OS manuals for JCL and COBOL, some 5′ of shelf space. While they ended up buying a Hitachi clone for the hardware, they bought the IBM software and printers.

      Data like this should never have been hosted outside. But this is what happens when “do more with less” becomes the ruling mantra.

      3 months ago
      Reply