Exactly at 16.49 on 28 February this year, a very heavy congestion attack was launched against the Swedish Transport Agency. Not only the website was affected, but also the underlying IT system. The authority was not the only target – at the same time, an overload was also directed at the bank Nordea, which was most noticeable in its Finnish operations.
An overload attack, also called a ddos attack, usually involves only temporary problems for the victim. Large networks of hijacked computers send information to the target servers, so much so that after a while the servers are unable to do so and stop working. However, such an attack does not mean that the attacker comes across sensitive information, or that systems are permanently damaged.
But now DN can tell that the ddos attack on the Swedish Transport Agency had hitherto unknown consequences, which meant that the authority failed to check sensitive information about particularly vulnerable people.
This is information in a database where traffic accidents are registered, called Strada, which is operated by the Swedish Transport Agency. There, both the police and the health service enter information, information about where and how an accident occurred – but also information about the people involved. The information is described as “sensitive personal data” by the authority. The database is not available to the public, but a number of state and municipal authorities and researchers have access to it.
Because the database is so sensitive, automatic, daily checks are also made to ensure that no persons with protected information, such as those living under threat, are in the database. This is done through beatings against the Swedish Tax Agency.
In ordinary cases, then. Because while the attack was going on, the IT system that makes the check was knocked out.
In the Danish Transport Agency’s report about the incident, which DN has been informed of, it appears that the authority does not know exactly how many were affected but that the number is estimated at between one and ten. There, the incident is also classified as a third on a four-point scale, in terms of how serious it is. The report is largely covered by confidentiality.
– The attack not only knocked out the website, but large parts of our IT system, says Mikael Andersson, press manager at the Swedish Transport Agency.
Are you still not sure how many were affected?
– We obviously have no information on the number affected, so therefore we have made an estimate.
The bug was discovered on March 2 but had not been fixed until March 7, a week after the attack.
– Some types of hassle can take a few days to remedy. In this case, we also needed to cooperate with another authority, which meant that it probably took longer, says Mikael Andersson.
The attack has been reported to the police and the investigation is ongoing. The incident has also been reported to the Swedish Civil Contingencies Agency, MSB, and to the Swedish Privacy Agency.
Read more:
Linus Larsson: These are not congested sites we should worry about
Sold identity: How hackers take over Swedes’ digital lives