back to article Sweden leaked every car owners' details last year, then tried to hush it up

In a slowly-unfolding scandal in Sweden, it's emerged that the country's transport agency bungled an outsourcing deal with IBM, putting both individuals and national security at risk. Pirate Party founder and now head of privacy at VPN provider Private Internet Access Rik Falkvinge has been working to bring details of the …

  1. Adam 1

    don't over egg it

    > e-mailed the entire database in clear text messages

    It's not as sky falling as being made out. The data was protected by the BorkBork cipher whilst in transit.

    1. Anonymous C0ward

      > e-mailed the entire database

      If am attachment that size doesn't crash your mail client, it ought to get blocked by both outbound and inbound SMTP servers on the way.

  2. Destroy All Monsters Silver badge

    "I blanda'd up"

    Hoorrorific if true.

    But why is all that information even IN a single database?

    And what happens now? Free credit monitoring??

    1. Nick Stallman

      Re: "I blanda'd up"

      Free credit monitoring? For the people in the witness protection program?

      I'm sure they'll love that. They'd probably prefer free life insurance with a obscene payout.

      1. Anonymous Coward
        Anonymous Coward

        Re: "I blanda'd up"

        They could probably buy a pension really cheap.

        Anon: I don't want my ID leaked.,

  3. ecofeco Silver badge

    Read the title, knew it was IBM

    All I had to do was read the title and I knew it was IBM.

    1. Meph
      Mushroom

      Re: Read the title, knew it was IBM

      I know IBM is the industry whipping boy for stupid mistakes at the moment, but in all honesty, this was setting them up to fail.

      Why the hell does a government keep sensitive military and police data in the same bit bucket with normal registration information!? In *ANY* IT system, someone somewhere has the ability to wander in and out of the system at will. By putting all this in one place, you have to accept that at least one person in the chain has the ability to grant access to any or all of the data to an unlimited number of people. The worst part is, you can have a data spill like this not from malicious intent, but (as the article says) from common, garden variety ineptitude.

      Pretty much all big business contractors will only work to the contract. If you want something extra that you failed to negotiate for in the original contract, it'll cost you extra. If the Swedish government kept everything in one place like this, and then outsourced the lot without putting some obscene contract terms in to specifically limit where the data gets manipulated, and who has the ability to grant access to it, then this fail is all on them. IBM's involvement was little more than the equivalent of trying to use a bucket of kerosene to put out a bonfire.

      1. razorfishsl

        Re: Read the title, knew it was IBM

        Clearly you have difficulty understanding that the whole world will be heading this way.

        IBM are just way ahead of the curve.

      2. Stevie

        Re: Read the title, knew it was IBM

        Low bid, of course.

        You get what you pay for, in this case a lack of training in the Govt staff at all levels.

        1. Adam 52 Silver badge

          Re: Read the title, knew it was IBM

          "Low bid, of course."

          It is IBM... I very much doubt that the final price will be low, even if the initial bid was low.

    2. BillG
      WTF?

      Re: Read the title, knew it was IBM

      @ecofeco wrote: All I had to do was read the title and I knew it was IBM.

      It's not IBM's fault:

      "[Sweden's] transport agency e-mailed the entire database in clear text messages to marketers that subscribe to it..."

      Sweden's transport agency screwed this up! And why is Sweden selling this information to marketeers?

  4. Nolveys
    Big Brother

    Stories like this sure make me glad that the government is surveilling every aspect of everyone's existence possible and storing it all in huge databases. Of course there's no way that all could leak out as we know that government spy agencies are leak-proof.

    I'd love to see another Snowden/Shadow Brokers, but instead of releasing evidence of mass criminal activity or stealing and releasing malware this new person/group would dox congress. I'm talking every filthy little detail down to the lung capacity to the pet budgie owned by the transvestite prostitute that insert-ultra-right-wing-senator-here sees every Friday. That might do something to wake up our garbage legislators and maybe even the private sector to how dangerous this stuff can be.

    On the other hand, it probably would just encourage them to surveil more and move on to more important things.

    1. Mark 85

      but instead of releasing evidence of mass criminal activity or stealing and releasing malware this new person/group would dox congress.

      That will never happen in our lifetimes. I'd assume that's kept in a very deep and dark place, possibly not on computer. After all, the agency has to assure itself of maximum funding in every year's budget and keeping the ones who vote on the budget in line is part of their self-imposed duty.

    2. Captain DaFt

      On the other hand, it probably would just encourage them to surveil more and move on to more important things.

      Oh, that old news. I thought you were talking about this.

  5. Anonymous Coward
    Anonymous Coward

    Cloud

    Why are we still using this sad marketing term from 2015?

    "Servers", including the owner (and renter where applicable) is the correct term.

  6. Snorlax Silver badge
    WTF?

    "as much value as a truckload of dead rats in a tampon factory"

    I'm guessing that phrase probably makes more sense in Swedish?

    If somebody says "as useful as tits on a bull" you get the idea, but dead rats and tampons? What's the connection?

    1. DryBones
      Holmes

      Re: "as much value as a truckload of dead rats in a tampon factory"

      There isn't any. That's the point.

      1. Snorlax Silver badge
        FAIL

        Re: "as much value as a truckload of dead rats in a tampon factory"

        @DryBones:"There isn't any. That's the point."

        The guy made an unnecessarily long-winded statement about the value of dead rats in a tampon factory, possibly in an attempt at being ironic.

        Looks like you don't know how to make an ironic comparison either.

        Conflating two random things just makes you look stupid, or high. But maybe something was lost in translation...Can any native Swedish speakers comment?

        1. Spasticus Autisticus
          Happy

          Re: "as much value as a truckload of dead rats in a tampon factory"

          Tampons - furry things with a tail.

          Dead rats - furry things with a tail.

          That's how I saw it. Made me laugh, but I'm sick.

          Rik had fun with a 'mousey' found in a girl's handbag, The Young Ones party episode - a very good one.

      2. Adam 1

        Re: "as much value as a truckload of dead rats in a tampon factory"

        @Drybones, I'm with @Snorlax on this one. Round these parts, the construction is more subtle than "as much value as X on a Y", where X and Y bear no relation. Here at least there needs to be almost a relation. So tits on a cow; great, A++, would buy again. They can either get me milk for my coffee or feed my future dinner. Both excellent endeavours. Tits on a bull... not so much.

        Maybe something gets lost in translation, and I'm the first to admit that my knowledge about the manufacturing process for tampons is somewhat lacking, but truckloads of dead rats don't seem to have an equivalent that is used in the production. Maybe the word sounds like something, or maybe other parts of the world you can just say whatever you feel like with such a sentence construct. Curious.

    2. Infernoz Bronze badge

      Re: "as much value as a truckload of dead rats in a tampon factory"

      Yes, men should be wary of women having access to data like this because there brains are not hormone wired so well for technical security thinking! Also WTF were the database access controls to forbid access to restricted and higher security data, even in a stupidly monolithic database!

    3. Wulfhaven

      Re: "as much value as a truckload of dead rats in a tampon factory"

      No, it doesn't make any sense in swedish either. Just like the multiple violations of laws regarding classified information that the gubbmint itself wantonly have commited for decades now. (this is just the tip of a very large iceberg with regards to how the department in question operaters)

      I'd wager Falkvinge was going for something along the lines of rats in a tampon factoryu are utterly useless, misplaced and a sanitary risk. Much like privacy handled by the government.

    4. Dave Harvey
      Facepalm

      Re: "as much value as a truckload of dead rats in a tampon factory"

      As no-one else seems to have noticed, I'll point out that it's actually a quote from the very aptly named film, "Top Secret"

      1. Ben Bonsall

        Re: "as much value as a truckload of dead rats in a tampon factory"

        As no-one else seems to have noticed, I'll point out that it's actually a quote from the very aptly named film, "Top Secret"

        Nick: Listen to me, Hillary. I'm not the first guy who fell in love with a woman that he met at a restaurant who turned out to be the daughter of a kidnapped scientist, only to lose her to her childhood lover who she last saw on a deserted island, who then turned out fifteen years later to be the leader of the French underground.

        Hillary: I know. It all sounds like some bad movie.

        [Long pause. Both look at camera]

        1. This post has been deleted by its author

    5. Anonymous Coward
      Anonymous Coward

      Re: "as much value as a truckload of dead rats in a tampon factory"

      I guessed at rats-tails vs. string... but I was probably over-thinking...

  7. kain preacher

    they only way for us to be truly safe from these data breaches is to have a global data base of people who have had there details leaked. This data base needs to contain things like SS/NI #. home address. Maiden name, drive license detail, bank account details, children and spouse name. Needs to be secured with SHA-0 and hosted by a country with a track record of tight privacy laws. I suggest the United States. To make easy for international police to access this data base I suggest that this data base be accessible by web site. Capita shall be given the contract.

    1. Bronek Kozicki

      You do realize that some journalist reading the above will assume you are being serious and at least 10 persons (all experts, as we all know non-experts have no access to comment here!) agreed with you. That's the idea, right?

      So, to enhance your original idea I propose to also store details of those who have not been leaked yet, in the same database. With a bool field to tell whether or not details have been leaked yet. By default set to true, and with validity constraint that the only allowed value is true.

      1. kain preacher

        Sorry I just assume any one that could find their way to el reg comment section would be able to detect sarcasm and would now about the general snarkyness on this site.

  8. eldakka

    marketers?

    the transport agency e-mailed the entire database in clear text messages to marketers that subscribe to it

    Why are marketers, private organisations, receiving a feed of the entire government vehicle database, irrespective of whether it's encrypted or not?

    I understand that the government probably uses private marketing agencies to do it's own mass-mailouts, but in that case only the necessary information for that particular mass mailout should be being sent to the specific marketers.

    I guess any PI's or re-possession agents or similar, or foreign intelligence gathering, need to cultivate contacts in marketing firms to get registration details. They don't need to bother with trying to subvert someone in the police or the Swedish DMV-equivalent.

    1. Anonymous Coward
      Anonymous Coward

      Re: marketers?

      Why are marketers, private organisations, receiving a feed of the entire government vehicle database, irrespective of whether it's encrypted or not?

      It's semi-public data. Anyone can go to the transportstyrelsen website, punch in a reg number, and not only get details of the vehicle but have the name and address of the previous three owners sent to them by email or SMS.

      Organisations that are interested can get the dataset and scan it for particular types of vehicles, ownership changes, etc. So buy a used car, and in a few days you get letters from insurance companies giving you offers, local dealerships offering you servicing, etc etc.

      1. eldakka

        Re: marketers?

        Wow, ok, that's pretty fucked up.

        Here, you cannot get details, besides current registration status, from the DMV, it is restricted, private information.

        There would be an uproar if that sort of information was handed out.

        1. daddyo

          Re: marketers?

          In US, VA in particular each car dealer has a "tag" book. In theory helps speed taking trade-ins only from registered owner. Of not available to individual owners. Reasons: Money and Convenience.

    2. Prst. V.Jeltz Silver badge

      Re: marketers?

      " irrespective of whether it's encrypted or not?"

      Exactly. Who cares how secure it is if you can ask for a copy of it?

    3. Dan 55 Silver badge

      Re: marketers?

      The DVLA does it too. Why? It's a nice source of money.

      What could possibly go wrong? Naaah, nothing could possibly go wrong.

      1. Adam 52 Silver badge

        Re: marketers?

        "The DVLA does it too. Why? It's a nice source of money."

        The DVLA doesn't do quite the same thing. It will supply vehicle details with no keeper details and it will supply rough vehicle description with registered keeper geographic location anonymised to one of 1,000 vehicles and 300 households.

        They also do one-off keeper details for those intending to pursue legal action (in theory, but it doesn't check very hard) and a multiple request process for parking enforcement cowboys.

        And they bulk feed law enforcement.

        What they won't do is supply keeper details in bulk to the general public.

  9. a_yank_lurker

    Too Many Idiots in the Kitchen

    A classic screw up, an inept government agency (an oxymoron I know) and I've Been Moved (aka Itty Bitty Morons) to make a complete hash of this. Combined with outsourcing to other countries, not verifying if the people with access should have access, what else could go wrong?

    1. lglethal Silver badge
      Headmaster

      Re: Too Many Idiots in the Kitchen

      I'm not quite sure you understand what an Oxymoron is. An Oxymoron is two words which when put together dont make sense - a light darkness, a cloudy sun, or a small giant. In this case a "competent government agency", would be an Oxymoron. An inept government agency is the norm - at least when it comes to IT and data...

      1. Little Mouse
        Headmaster

        Re: Too Many Idiots in the Kitchen

        Sorry - Not quite.

        An oxymoron is actually a name, or maybe title, that seems to contradict the thing it is naming.

        The most overused example is probably "Military Intelligence". But there are many others to choose from - e.g. Great Yarmouth.

        1. Charles 9

          Re: Too Many Idiots in the Kitchen

          That's just one application of the word, but in general an oxymoron is a description that is self-contradictory. Such as "a regular abnormality" (since something abnormal, by definition, can't be regular) or a "squared circle" (since a circle, by definition, has no corners).

      2. Maty

        Re: Too Many Idiots in the Kitchen

        I think he meant 'tautology'.

        'Oxymoron' btw IS an oxymoron. The word is from classical Greek and means 'sharp-dull'.

  10. Anonymous Coward
    Anonymous Coward

    Abba-ismal

    Ring ring

    SOS

    Mamma Mia

    Hasta manyana

  11. David Roberts
    Headmaster

    Just me?

    "Type, model, weight, and any defects of any and all government and military vehicles, including their operator”.

    I wonder what type, model and weight the average operator is and what their defects are.

  12. Your alien overlord - fear me
    Facepalm

    The Young Ones fan?

    I thought tampons were made of mice !!

    1. werdsmith Silver badge

      Re: The Young Ones fan?

      "A truckload of dead rats in a tampon factory"

      Please could somebody explain this simile for me ?

      Thanks.

      1. Lars Silver badge
        Coat

        Re: The Young Ones fan?

        "A truckload of dead rats in a tampon factory". Unless a Google translate "feature" one has to assume it's a comparison between rats in a sausage factory and rats in a tampon factory claiming they are more easily detected among tampons. Or perhaps it's just a silly thing to say.

      2. W4YBO

        Re: The Young Ones fan?

        "A truckload of dead rats in a tampon factory"

        A line from "Top Secret", Val Kilmer's first movie.

        1. lars.r

          Re: The Young Ones fan?

          I thought Real Genius was his first movie.. Oh, well.

  13. MatsSvensson

    Oh those Swedes!

    Meanwhile:

    Trump preparing new better-jobs-for-the-economy-plan to simplify storing of radioactive waste under playgrounds.

    More about Sweden after the break.

    1. Anonymous Coward
      Flame

      Re: America... no, the world, stranger than fiction!

      They already DID that: https://en.wikipedia.org/wiki/Love_Canal

      (Ok, it was not a playground... it was an entire school! There is a limit to intelligence, but not to...)

      1. earl grey
        Unhappy

        Re: America... no, the world, stranger than fiction!

        Just so you know about Love Canal...

        It was a clay sealed chem dump that met all the standards of the time and place.

        It was donated to the city/school district for putting a school on top of only and was NOT supposed to be dug down into.

        Some greedy wanker in the city/school saw all that wonderful vacant land sitting there and figured they could make a ton of money selling it off for housing lots.

        The builders dug down through the clay seal and put in basements and VOILA! chemicals leaking into everything!

        Raise a big stink any way you want, but the original canal served its purpose as originally constructed and if not dug into would still be sealed up tight today with none of the problems. The property should have been permanently noted on title transfer as being a former chem dump. I don't know if that happened or not and what subsequent "cleansing" of the records may have happened for the sales to progress. And yes, it sucked for those who bought property there.

        1. Anonymous C0ward
          Paris Hilton

          Re: America... no, the world, stranger than fiction!

          > Love Canal

          There's definitely a dirty joke in there.

          1. Bronek Kozicki
            Coat

            Re: America... no, the world, stranger than fiction!

            There's definitely a dirty joke in there.

            Dirty - definitely. Joke - not so much.

  14. Anonymous Coward
    Pirate

    "Pirate Party founder and now head of privacy"

    Ironic, how money can change people....

  15. silks

    Reassuring

    Reassuring to know this isn't just the UK Government outsource experience :)

  16. adam payne

    "The leak seems to have happened over email after the transport agency e-mailed the entire database in clear text messages to marketers that subscribe to it – and when the error was discovered, the agency merely sent a new list and told subscribers to delete the old list themselves."

    #headshake #rolleyes

  17. Mahhn

    The country in one DB

    Having the entire countries data in one database, that is small enough to send in one Email, really?

    So a <15MB file. Maybe they could bring back privacy by bumping everyone's street address by 2 digits, or change the name of all 30 streets.

  18. michael105uk

    'Cloud'

    As others have mentioned, 'Cloud' is simply a marketing term - the fabric of still is made up of servers residing within datacentres with fibre connecting them.

    Considering the sensitive nature of the data contained in the mentioned database, has IBM even got a datacentre in Sweden, or were the Swedes happy for it to reside in Norway?

  19. Anonymous South African Coward Bronze badge

    Another data leak.

    It will never stop.

    1. Emperor Zarg

      It won't stop until we stop giving the Government our data and rescind their rights to use it as they wish. It seems everyone has forgotten that the Government is supposed to be the servant of the people.

  20. Anonymous Coward
    Anonymous Coward

    Most probably an intern going like :

    "Here's your [censored™] database in cleartext since we can't be arsed to figure out how this encryption doohicky works.

    Hakuna Matata. Nobody'll intercept it anyway. And if they do, they'll read the bit at the end of the email which will ask them nicely to delete it if it is not intended for them."

    We need an Alfred E Neumann icon.

  21. Anonymous C0ward

    And even the small organisation I work for

    is now doing disk encryption and 2FA. Although I'm sure I mentioned it three years ago.

  22. joker197cinque

    How is that even possible that data was not properly encrypted at rest and classified at common government levels ?

    I mean, even INSIDE the travel Agency there should be different clearances for data ... so it doesn't make any sense here.

  23. david_kral@hotmail.com

    What really happened - leakage to/by IBM or just admins had access doing nothing wrong?

    As far as I know, IT service providers like IBM are bound by confidentiality agreements and their employess are bound, too.

    If there's any leakage by IBM, is it somehow proven and documented?

    I think the biggest mistake was on Swedish customer side (in design of the database missing encryption of sensitive data fields - content not needed to be seen by DB admins + in low contractual requirements on confidentiality/certification of security standards on provider side etc.)

    When the scandal hits political floor and journalists are digging in it, facts are becoming less and less important.

    In Czech newspapers one could read, that Swedish government crisis because of Czech employees of IBM ... it could have been Belarus, Bangalore, ... any other IT service provision site in the world whom could have the customer contracted.

  24. Anonymous Coward
    Anonymous Coward

    Anything Sweden can do Norway can do better..like the Indian sub-contractor for a major Norwegian provider having access to the country's emergency services net for 14 months.

    Slowly but surely governments and key businesses are realising the error of their offshore outsourcing ways.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like