Sweden's Prime Minister is under intense pressure to resign following a massive data breach that disclosed sensitive details of almost every citizen.
Sweden's Defence, Interior and Infrastructure Ministers are facing a no-confidence vote but the Prime Minister is somehow holding the fort as of now.
The political upheaval follows an investigation by Säpo, the country's security service, on the Swedish Transport Agency which allegedly leaked sensitive details of millions of citizens that it stored in a database on the cloud.
What really happened?
A couple of years ago, the Swedish Transport Agency entered into a contract with IBM as per which IBM was to manage the former's databases and networks. After the deal was signed, the agency decided to upload its entire database on the cloud that IBM employees could access and monitor.
Major data breach exposes sensitive details of 200 million US voters
At the same time, the agency emailed notifications to marketers who subscribed to the database. While this was according to the procedure, what ruined everything was that the entire data in the database was filled out in plain text with no encryption in sight. It was later observed that unauthorised IBM employees located in the Czech Republic were also able to access the database and its contents.
According to The Hacker News, the data breach exposed 'names, photos and home addresses of millions of Swedish citizen, including all registered drivers, fighter pilots of Swedish air force, members of the military's most secretive units, police suspects, people under the witness relocation programme, the weight capacity of all roads and bridges, and much more'.
All these basically constituted nearly the entire population of Sweden.
An official investigation into the massive leak was launched almost a year after the leak took place. The investigation was triggered after a private company emailed the transport agency, informing them of the leak.
The investigation finally resulted in the dismissal of the agency's Director General Maria Ågren in January this year. She was also fined half a month's pay for being careless with secret information.
Sensitive details of Bupa's insurance customers breached by rogue employee
In her defence, Ågren said that she had to close the agreement with IBM quickly under immense pressure from her superiors and that she didn't apply legal guidelines that gave protection to citizens' personal data and privacy.
On Monday, Sweden's Prime Minister Stefan Löfven confirmed that he had knowledge of the data breach and the subsequent investigation, resulting in a scathing attack from opposition parties asking him to take responsibility for the data leak.
Opposition parties have also threatened that they would serve a no-confidence vote against the Defence Minister, the Interior Minister, the Infrastructure Minister and the Prime Minister himself in the Parliament.
While Löfven has partially capitulated by confirming that the Interior and Infrastructure ministers would resign, he is still fighting to keep his chair as well as his Defence Minister's.
This is what happens to your data after a breach
A new-formed alliance of opposition parties has threatened to topple the government and has asked Löfven to call for fresh elections. However, he still has the numbers with him but his survival depends on the stance of the far right Sweden Democrats party. The party said recently that if the Defence Minister doesn't resign, they would introduce a no-confidence vote against the government as well.
With the government scurrying for answers following the largest data leak in history, it isn't clear if the government will survive for long. It also remains to be seen if the political storm will change the way government agencies handle sensitive data, who they share it with and how they ensure its protection.
'Limiting data access and taking a privacy-by-design approach goes a long way in proactively protecting critical data. Perhaps most importantly, government agencies - and any organisation that processes and stores sensitive data - need to establish and uphold strong cybersecurity and data protection practices: not only for internal use but for all third party contractors as well,' said Ken Spinner, VP of Global Field Engineering at Varonis.