Sweden scrambles to tighten data security as scandal claims two ministers | World news

Sweden’s government has sought urgent assurances on data security from national agencies including the health, education and pensions services after a huge leak of private and sensitive information that has cost two ministers their jobs.

Amid reports by the Dagens Nyheter newspaper that confidential medical details were being handled by unscreened IT workers in Romania, the national broadcaster SVT said data outsourcing arrangements at six state agencies were being checked.

The checks follow a cabinet reshuffle last week in which interior minister Anders Ygeman and infrastructure minister Anna Johansson both stepped down after what the prime minister, Stefan Löfven, called an “extremely serious” security breach.

Several ministers had known about the breach, which followed a botched 2015 data outsourcing contract between the national transport agency and IBM Sweden, for at least 18 months but failed to inform the prime minister, media reported.

The former head of the agency, Maria Ågren, was fired in January and fined after security police found she had waived security clearance requirements for foreign IT workers when signing the agreement, in breach of privacy and data protection laws.

One transport agency official told police the data that IT workers in the Czech Republic, Serbia and Romania were processing without security clearance under the agreement was equivalent to “the keys to the kingdom”, Dagens Nyheter said.

Besides the entire national driver’s licence database, the records potentially included information on intelligence agents, military and police transport and personnel, people with criminal records and those in witness protection programmes, Swedish media have reported.

The Swedish military confirmed that details of its staff, vehicles, and defence and contingency planning could have been included in the breach, although the transport agency insisted it held no military data and there was no indication that any of the data had been “spread in an improper way”.

Although there is no evidence of actual harm being caused, Löfven said the incident was a “disaster” that had “exposed both Sweden and Swedish citizens to risks”. IBM Sweden has consistently said it does not discuss its dealings with clients.

But after opposition parties threatened the coalition with a vote of no confidence, Löfven promised to “take responsibility” and stay on at the head of his minority left-green government rather than call snap elections.

“I have no intention of plunging Sweden into political crisis,” the prime minister said, adding the country faced “formidable challenges” including Brexit, mounting tensions in the Baltic region and much-needed economic and social reforms. Sweden’s next general election is due in 2018.

Löfven resisted calls for the resignation of defence minister Peter Hultqvist, who has admitted knowing of the scandal since 2016, noting that he was not responsible for the transport agency and the army took protective steps early on.

Swedish IT experts told SVT the incident showed the government’s ignorance of how state agencies handle confidential and sensitive information. “This really shows their low level of expertise on how IT security is handled by the authorities,” said one consultant, Lars Mårelius.

Another, Anne-Marie Eklund Löwinder of the Internet Foundation, said agencies that handle citizens’ data should be subject to strict transparency and reporting requirements on all their data protection measures.

Source link

The Guardian view on a Swedish scandal: the precedence of privacy | Editorial | Opinion

It’s hard to believe that a government could be threatened with collapse because of the way it dealt with driving licences. But that is what has been happening in Sweden in the last week, and the story shows just how vulnerable and delicate the integrity of personal identity is once everything about everyone is recorded in a database somewhere. The story started in the recesses of the bureaucratic state: the transport agency, a branch of the civil service which has to keep records of every car, boat and aeroplane in the country. Since some of these vehicles are military and some of the drivers are people whose identity the state protects with special zeal from criminals, either because they are witnesses or spies, there are rules that state this can only be seen and altered by Swedish citizens who have been cleared by the security services.

In 2015, the incoming director general, Maria Ågren, discovered that this work was to be outsourced to IBM. That was part of a wider pattern which has seen both the left and right of Swedish politics privatise large parts of the old welfare state this century. The law said this couldn’t happen unless IBM’s data handlers had all had security clearance. Her own department told her that couldn’t be done in time. So she decided to ignore the law. IBM, in turn, had the work done in Serbia and elsewhere in eastern Europe. Complaints about security from within the organisation – and, later, from the security police – were ignored. The defence minister and the interior minister knew in the spring of last year but could not find the time to tell the prime minister until January this year, when Ms Ågren was quietly sacked and, later, fined. The government hoped that any potential scandal would disappear along with her.

It almost worked. The affair was only brought to light by the determined digging of journalists at the Stockholm paper Dagens Nyheter. Once the story was out in the open, the Social Democratic prime minister, Stefan Löfven, who heads a weak minority coalition, sacked two of the ministers responsible, but stood by his defence minister, Peter Hultqvist. The opposition parties propose a vote of no confidence in him when parliament returns in September. This they can easily win with the help of the far-right Sweden Democrats, whom all the other parties normally shun.

This is a case that has implications far outside the vicious intricacies of Swedish domestic politics. Sweden is often, rightly, praised for its transparency. But opening data to everyone can be as harmful as suppressing it. The care of citizens’ private data is now one of the tasks that any modern state must perform. In the Swedish case, applications for a driving licence can require a doctor’s certificate, which, being electronic, implies access to medical records. It is not enough to point to rules and procedures. The rules were all present in the Swedish case. They were simply ignored, and with no consequences, for far too long. What’s needed are robust methods of enforcing privacy protections, and institutional cultures that take them seriously. The more of our lives we trust to the databases of authority, and the more these are interlinked, the more power we give away to people who might mean us harm. Privacy and security have to take precedence over administrative convenience wherever governments deal with personal information.

Source link