The Swedish government has admitted to a huge data leak made by one of its own departments during an IT outsourcing procedure in 2015.
Sweden’s prime minister said it was “a disaster”, Swedish media reported.
Reports say that confidential data about military personnel, along with defence plans and witness protection details, were exposed by the Transport Agency.
They were visible to workers without security clearance during the transfer.
Last month, the agency’s former director general Maria Agren, who left her role in January, was fined 70,000 Swedish krona (£6,500, $8,500).
There is no suggestion that IBM Sweden, the outsourced company with which the data was shared, was in the wrong – and the tech giant declined to comment.
Operations to ensure that only security-cleared staff have access to the data will be completed by the autumn, the Transport Agency said in a statement (link in Swedish).
It explained that Ms Agren had “decided to abstain” from the National Security Act, the Personal Data Act and the Publicity and Privacy Act when dealing with the outsourcing.
The agency declined to elaborate on the confidential data it holds but said it did not have a register of military pilots, airports or aircraft.
However said it did have information about people with “protected identities” – but added that they should not be worried.
“We have no indications indicating that data was disseminated improperly, so we do not see any direct cause for concern,” it said.
All of the data remained housed in Sweden, it said.
“I take this seriously and action has been taken,” said the agency’s new director general Jonas Bjelfvenstam.
“Obviously, we as an authority must comply with the laws, regulations and security requirements that apply in our area of activity. We are doing everything we can to avoid such a situation in the future.”
Rick Falkvinge, head of privacy at Private Internet Access and a founder of the Pirate Party, wrote in a blog that he believed it demonstrated that governments were not reliable guardians of data.
“Let’s be clear: if a common mortal had leaked this data through this kind of negligence, the penalty would be life in prison,” he said.