25 July, 2017
In a bid to cut down on expenditure, the Transport Authority, at Maria Ågren's behest, apparently outsourced the management of the vehicle and license register to IBM in April 2015.
Reports indicate that the data included crucial information on the Swedish transport and infrastructure, including all military vehicles.
Sweden's government knew about the data breach previous year but kept quiet about it, according to SvT.
Swedish newspaper Dagens Nyheter (DN) that has seen the police investigation documents, reports that the IBM employees in the Czech Republic were given full access to all data and logs, while firewalls and communications were maintained by a company in Serbia.
Not only that, but it also includes data of Swedish air force fighter pilots, all members of the government's secret military units, crime suspects, people under the witness relocation program.
Sweden's Transport Agency moved all of its data to "the cloud", apparently unaware that there is no cloud, only somebody else's computer. This gov intranet is then connected to the EU's secure network STESTA, meaning the botched up contract also put the EU's secure network at risk.
'All of this was not just outside the proper agencies, but outside the European Union, in the hands of people who had absolutely no security clearance, ' wrote privacy activist Rick Falkving in a blog post.
This is not the first time the transport authority's security processes have been found lacking.
In March past year, the entire vehicle register was sent to subscribing marketers, but crucially this list contained individuals from witness protection and similar programs. Sweden's government said no military vehicle details were included, though vehicles registered to civilians were. This is nothing unusual, however, the copy was sent as a full list including the identities of those in witness protection and similar programs, which were pointed out with a request for subscribers to delete such records themselves. If you thought that was bad, even the weight capacity of all roads and bridges in Sweden was leaked. She was found guilty of being "careless with secret information" and was fined 70,000 Swedish krona ($8,500, £6,500).
It started out with a very speedy trial where a Director General in Sweden was fined half a month's pay.
Swedish papers report that the agency report into this incident is so heavily redacted that it's impossible to learn the sensitivity of this exposure.
While it remains unclear if the data has actually been accessed by foreign actors or compromised, the fix is expected no earlier than this fall, according to the transport agency's new director, Jonas Bjelfvenstam.
"If a common mortal had leaked this data through this kind of negligence, the penalty would be life in prison".