Swedish data security

Swedish ministers resign amid data security breach scandal

Citizens’ sensitive personal information may have been leaked.

By MARK SCOTT AND CONNOR MURPHY

Two senior Swedish ministers resigned on Thursday as the country’s government tried to limit the political fallout from a security breach that may have led to large-scale disclosure of citizens’ sensitive personal information.

Sensitive data was potentially leaked to contractors in Romania and the Czech Republic, among other Eastern European countries, who were employed to work on a project outsourced to IBM Sweden. The data breach — one of the largest in the country’s history — included the potential disclosure of Swedish driving license records and classified information such as data on military vehicles.

While the extent of the leak remains unclear, it comes as governments worldwide are facing an increase in cybersecurity threats from groups of hackers, as well as those sponsored by other countries’ intelligence agencies. There has been a raft of recent attacks around the globe as cyberattackers have targeted the British health system, Ukrainian banks and government agencies, as well as individuals from the United States to France.

The most recent leak in Sweden is not connected to such activities. But the accidental disclosure of masses of sensitive information on Swedish citizens, experts warn, highlights how policymakers often fail to implement the most basic protections to ensure citizens’ digital data is kept safe.

Swedish Prime Minister Stefan Löfven said that Anders Ygeman, the country’s home affairs minister, and Anna Johansson, the infrastructure minister, had both resigned because of the scandal. The prime minister refused to call an early election, despite demands from opposition political parties.

“I have to take responsibility for the country,” he said on Thursday. “It wouldn’t serve Sweden to throw the country into a political crisis.”

The country’s center-left government has been engulfed in crisis in recent days over a data security breach at the Swedish Transport Agency.

The resignations of two of the country’s ministers shows how issues concerning individuals’ privacy are quickly becoming hot-button topics in an ever-more connected world.

“There are national security and personal privacy implications to this data breach,” said Simone Fischer-Hübner, a privacy and security professor at Karlstad University in Sweden. “There’s been a lot of bad practices.”

The controversy in Sweden dates back to 2015, when the country’s transport agency outsourced its IT operations to IBM Sweden. Revelations about how the sensitive data was sent overseas and may have been illegally accessed by contractors was first made public earlier this month after local media reports claimed that Maria Ågren, the Swedish Transport Agency’s director general, was fired and fined by the country’s authorities in January for the mishandling of classified material.

The Swedish government said the damage from the data breach may have been limited, though Prime Minister Löfven confirmed that he was first informed about the incident in early 2017.

Earlier this week, Löfven, who is the leader of the Social Democratic Party, said the breach was “a mess” and had “exposed both Sweden and the Swedes to risks.”

Nevertheless, Jonas Bjelfvenstam, the current director general of the Swedish Transport Agency, said there were “no indications that data was disseminated improperly.”

IBM said that it took “data privacy very seriously,” but would not comment further on the depth of the data breach.

While two Swedish ministers have resigned over the scandal, a third — Defense Minister Peter Hultqvist — will remain in his post, despite opposition demands for his removal.

Sweden’s opposition political parties have already called for a vote of no-confidence to unseat the government ministers caught up in the scandal.

“The first question I would ask is whether the Swedish Transport Agency, by outsourcing some work to what I presume are IT body shops in Serbia and the Czech Republic, simply granted those folks open access to its network,” said Rik Turner an infrastructure analyst at Ovum, the technology research company. “If that is the case, then this was just plain stupidity.”