Swedish Transport Agency data leak

In July 2017, Sweden was plunged into one of its gravest peacetime security scandals — not because of a hacker, but because of a catastrophically mishandled IT outsourcing contract. The Swedish Transport Agency (Transportstyrelsen) had effectively exposed the country's entire vehicle and driver-licence database, along with troves of classified information, to foreign IT workers who had never been security-cleared.

What happened

In 2015, seeking to cut costs, the Transport Agency outsourced the operation of its vehicle and driver-licence registers to IBM. IBM in turn relied on subcontractors in the Czech Republic, Romania, and Serbia. Under significant time pressure — the predecessor agency had already begun laying off staff — Director-General Maria Ågren decided to bypass Sweden's standard security-clearance requirements, granting foreign technicians access to sensitive systems without the usual vetting.

The result was that entire databases and sensitive files were accessible to personnel outside Sweden who lacked clearance, in violation of Swedish law on the handling of secret information.

Impact

The exposed information was extraordinarily sensitive:

The complete register of Swedish vehicles and driver's licences, including photographs.
Data potentially revealing individuals in witness-protection and protected-identity programmes.
Information reportedly touching police registers, members of secret military units, Swedish Air Force pilots, and government and military vehicles, plus details of national infrastructure.

There was no evidence the data was stolen by an adversary, but Sweden could no longer guarantee its confidentiality — the security failure was the exposure itself.

Fallout

Maria Ågren was removed from office in January 2017 and fined for being careless with secret information.
When the affair became public in July 2017, the political fallout was severe: two government ministers — the Interior Minister and the Infrastructure Minister — resigned, and Prime Minister Stefan Löfven's minority government narrowly weathered a no-confidence crisis.

Why it matters

The Transportstyrelsen affair is a landmark case in third-party and outsourcing risk for governments. It showed that a "leak" need not involve an attacker at all — that handing data to unvetted outsourced staff can itself constitute a national-security breach. The scandal reshaped how Sweden governs the outsourcing of sensitive public-sector IT, tightening rules on security clearance, data sovereignty, and ministerial accountability, and it remains a defining European example of self-inflicted exposure of state secrets.

Timeline

April 1, 2015

The Swedish Transport Agency outsources management of its vehicle and driver-licence registers to IBM to cut costs.

January 1, 2015

Director-General Maria Ågren waives standard security-clearance rules under time pressure; IBM uses subcontractors in the Czech Republic, Romania, and Serbia who can access the data.

January 1, 2016

Säpo, Sweden's security service, raises alarms about the unvetted foreign access to sensitive registers.

January 1, 2017

Maria Ågren is removed from her post; she is later fined for mishandling classified information.

July 17, 2017

The scandal becomes public, revealing the scale of the exposure of sensitive national data.

July 25, 2017

Political fallout forces the resignation of two government ministers; the government survives a no-confidence threat.

Sources

thehackernews.comhttps://thehackernews.com/2017/07/sweden-data-breach.html

thelocal.sehttps://www.thelocal.se/20170725/swedish-government-battles-political-fallout-from-transport-data-leak

thelocal.sehttps://www.thelocal.se/20170721/it-workers-in-other-countries-had-access-to-secret-records-report

careersinfosecurity.co.ukhttps://www.careersinfosecurity.co.uk/sweden-grapples-sensitive-data-leak-scandal-a-10139

Related incidents

Data breachResolvedAugust 25, 2025

Miljödata data breach (2025)

In August 2025, the Swedish system supplier Miljödata was the victim of a ransomware attack. Following the attack, data was subsequently published on the dark web and included 870k unique email addresses across various compromised files.

Victim: Miljödata
Records: 870.1K

Data breachResolvedMarch 14, 2017

Master Deeds data breach (2017)

In March 2017, a 27GB database backup file named "Master Deeds" was sent to HIBP by a supporter of the project. Upon detailed analysis later that year, the file was found to contain the personal data of tens of millions of living and deceased South African residents.

Victim: Master Deeds
Records: 2.3M

Data breachResolvedJanuary 19, 2017

CrimeAgency vBulletin Hacks data breach (2017)

In January 2016, a large number of unpatched vBulletin forums were compromised by an actor known as "CrimeAgency". A total of 140 forums had data including usernames, email addresses and passwords (predominantly stored as salted MD5 hashes), extracted and then distributed.

Victim: CrimeAgency vBulletin Hacks
Records: 942.0K

Data breachOngoingJune 14, 2026

ShinyHunters claims theft of 297GB of Council of Europe payroll and HR data via Oracle PeopleSoft zero-day

The extortion group ShinyHunters claimed it stole roughly 297GB of payroll, HR and financial records belonging to more than 10,000 current and former Council of Europe staff by exploiting the Oracle PeopleSoft zero-day CVE-2026-35273, prompting the intergovernmental body to investigate.

Victim: Council of Europe