A system used by EU border forces to flag illegal immigrants and suspected criminals in real time is plagued by software flaws and security vulnerabilities.
The Schengen Information System II allows border patrol and law enforcement authorities to exchange information about people who have been refused entry, missing persons, or wanted criminals, including photos and biometric data like fingerprints.
According to emails and a confidential audit report from the European Data Protection Supervisor (EDPS), which were obtained by Bloomberg and investigative newsroom Lighthouse Reports, the information-sharing system was severely flawed with bugs and security vulnerabilities, meaning that personal data that was stored in the database wasn’t properly secured.
The news outlets argue that the European privacy supervisor allegedly reported thousands of security vulnerabilities that were classified as “high” or “critical” in recent years. Furthermore, the Schengen Information System II was susceptible to DDoS attacks and attacks that allowed unauthorized persons to gain access to databases containing highly sensitive and personal information.
In addition, an “excessive number” of accounts were said to have administrator-level rights for the system, creating “an avoidable weakness that could be exploited by internal attackers.”
According to the news outlets, there’s no evidence that unauthorized third parties accessed the database or exfiltrated data. However, this may be because the Schengen Information System II currently works on an isolated, air-gapped network. In the future, the system is going to be a part of the EU’s new border system, the Entry/Exit System.
This database, which automatically collects biometric data from all non-European visitors to the EU, is no longer air-gapped but will be connected to the internet. This makes it easier for hackers to access the data in the Schengen Information System II database, the EDPS warns in its audit report.
Sopra Steria, the company responsible for the Schengen Information System II’s security, was notified of the vulnerabilities. Allegedly, it took between eight months and five-and-a-half years to fix the problems, while Sopra Steria initially promised to fix such critical vulnerabilities within two months.
A spokesperson for EU-Lisa, the agency that oversees large-scale IT projects such as the Schengen Information System II, said the agency couldn’t comment on confidential documents, but that “all systems under the agency’s management undergo continuous risk assessments, regular vulnerability scans, and security testing.”
Your email address will not be published. Required fields are markedmarked