The Transport Agency has been outsourcing its IT maintenance since 2015 for budget management, and the personnel reportedly did not undergo the usual security checks.
The Transport Agency staff described the outsourcing, without proper security checks, as "handing over the keys to the Kingdom". Administrators in the Czech Republic were reportedly given full access to all data and logs, while sensitive communications were stored by a company in Serbia.
According to Pirate Party founder Rik Falkvinge, the leaked databases covered every vehicle in the country — including police and military registrations, plus details of individuals on witness protection programs. Moreover, the leaked information on individuals in the database included members of the military.
"This leak is especially nasty, as they have opened the lock to our entire defense. In addition to the pilots' home addresses, their private cars and phone numbers were also leaked," an anonymous retired pilot told Swedish media outlet Expressen.
"The fact that a security check has not been made is serious. That means you have not tested the people's loyalty and don't know whether you can trust them from the Swedish side. In the case of Serbia, there's a fairly close relationship between the Serbian and Russian intelligence services. In the worst case, foreign intelligence services have been given an access route into the computer systems," security expert Johan Wiktorin told the Swedish newspaper Dagens Nyheter.
Meanwhile, it appears that the Swedish authorities tried to hush up the leak, Minister for Infrastructure Anna Johansson claimed that her former state secretary Erik Bromander kept her unaware of the situation until January this year, despite having information on the matter as early as February 2016. According to Johansson, even the Nordic nation's, Minister for Home Affairs, Anders Ygeman and, Minister for Defense, Peter Hultqvist were also informed in early 2016, SVT reported.
"What happened at the Transport Agency was a disaster. The government has therefore replaced the leadership of the authority and ensured that the relevant authorities have taken measures to limit the harmful effects," Stefan Löfven noted in a written statement.
The Swedish Democrats (SD) party leader, Jimmie Åkesson, called the situation "extremely serious," venturing that responsible ministers must be brought to account. Åkesson voiced interest in joining a possible vote of no confidence against the Swedish government, currently mulled by the SD, the Left Party and the Christian Democrats (KD).
"In Sweden, confidential information should always be handled by the Swedish authorities. The SD and I support the KD's proposal of creating a crisis commission. We will also support a vote of no confidence, if nothing changes the situation," Jimmie Åkesson tweeted.
The maintenance of the Transport Agency's vehicle and license register was outsourced to IBM in April 2015 in order to save money. However, the transfer took place under time pressure, which led to the usual security rules being effectively bypassed. The Transport Agency's new director general, Jonas Bjelfvenstam, said he could still not guarantee that unauthorized persons had no access to the agency's IT system. According to him, the leak would be safely plugged only by autumn, Dagens Nyheter reported.
Last month, Sweden's red-green government presented a new national strategy for information and cyber security.
"If you have information critical to society, it is hardly a good idea to store it somewhere where you can't control it," Anders Ygeman said.
