Europe's Schengen border security system vulnerable to hacks. Audit warns of catastrophic beach risk

Time of India

3 days ago

Tired of too many ads?
Remove Ads
Tired of too many ads?
Remove Ads
Tired of too many ads?
Remove Ads
An information-sharing system used by EU border forces to flag illegal immigrants and suspected criminals in real time was rife with software and security vulnerabilities, according to emails and confidential audit reports obtained by Bloomberg News and investigative newsroom Lighthouse Reports.The Schengen Information System II had thousands of cybersecurity issues that the European Data Protection Supervisor, an EU auditor, deemed to be of 'high' severity in a 2024 report. It also found that an 'excessive number' of accounts had administrator-level access to the database, creating 'an avoidable weakness that could be exploited by internal attackers.'While there is no evidence that any SIS II data was accessed or stolen, a breach 'would be catastrophic, potentially affecting millions of people,' said Romain Lanneau, a legal researcher at EU watchdog Statewatch.SIS II, which was first implemented in 2013, is part of an EU-wide effort to strengthen the bloc's external borders using digital and biometric technologies at a moment in which governments around the world are taking tougher stances on migration. The system allows member states to issue and view real-time alerts when tagged individuals, a group that includes terror suspects and people with outstanding arrest warrants, attempt to cross an EU border.SIS II, which currently runs on an isolated network, will eventually be integrated with the EU's Entry/Exit System, which will automate registration of the bloc's hundreds of millions of annual visitors. EES will be connected to the internet, which could make it easier for hackers to access the highly sensitive SIS II database, the report warns.Alerts issued by SIS II can contain photos of suspects and biometric data such as fingerprints taken from crime scenes. Since March 2023, the alerts have also incorporated so-called 'return decisions' — legal rulings that flag a person for deportation. While the vast majority of the system's estimated 93 million records relate to objects such as stolen vehicles and identity documents, about 1.7 million are linked to people.Of those, 195,000 have been flagged as possible threats to national security. Since individuals don't generally know that their information is in SIS II until law enforcement acts on it, a leak could potentially make it easier for a wanted person to evade detection.The audit determined that SIS II was vulnerable to hackers overwhelming the system, as well as attacks that could enable outsiders to gain unauthorized access, documents show. When EU-Lisa, the agency that oversees large-scale IT projects such as SIS II, reported these issues to Sopra Steria, the Paris-based contractor responsible for developing and maintaining the system, the company took between eight months and more than five-and-a-half years to fix the problems, according to the report and emails between EU employees and Sopra Steria.Under the terms of its contract with EU-Lisa, Sopra Steria was obliged to fix 'critical and high' software vulnerabilities within two months of a patch being released, emails and two audit reports show.A spokesperson for Sopra Steria declined to respond to a detailed list of allegations about security vulnerabilities in SIS II, but said in a statement that the company followed EU protocols.'As a key component of the EU's security infrastructure, SIS II is governed by strict legal, regulatory, and contractual frameworks,' the spokesperson wrote. 'Sopra Steria's role was carried out in accordance with these frameworks.'Emails seen by Bloomberg and Lighthouse Reports showed that EU-Lisa employees flagged cybersecurity issues to Sopra Steria on several occasions in 2022. Sopra Steria argued in one email exchange that patching some of the vulnerabilities would cost an extra €19,000. In response, EU-Lisa said the work should be covered by the existing contract, which included a fee of between €519,000 and €619,000 per month for 'corrective maintenance,' according to a document detailing Sopra Steria's fees for the project.The EDPS audit also noted that 69 team members not employed directly by the EU had access to SIS II despite lacking the necessary security clearance. It's not clear if they were Sopra Steria employees or other contractors.The audit blamed some lapses on EU-Lisa, which did not inform its management board about security vulnerabilities after they were identified. In the documents, auditors described the EU agency as struggling with 'organizational and technical security gaps' and recommended that it set up an action plan with a 'clear strategy' for addressing vulnerabilities. In addition to SIS II, the agency maintains a database of asylum seekers' fingerprints, called Eurodac, and a visa waiver system similar to that of ESTA in the US.A spokesperson for EU-Lisa said the agency couldn't comment on confidential documents, but that 'all systems under the agency's management undergo continuous risk assessments, regular vulnerability scans, and security testing.''Any risks identified are assessed, prioritized, and addressed based on their criticality, with appropriate mitigation measures defined and closely monitored,' the spokesperson added.Some of the problems with SIS II stemmed from EU-Lisa's tendency to rely heavily on consulting firms rather than build technological capabilities in-house, according to three people familiar with the matter, who asked not to be identified as they weren't authorized to speak publicly. This was partly because of pressure to deliver on projects that the agency did not have the staff to complete quickly.The Entry/Exit System, the high-tech border system intended to automate visitor registration in Europe — and another project overseen by EU-Lisa — has also been struggling. The system was supposed to launch in 2022, but has been delayed multiple times due to technical problems largely attributed to the French IT firm Atos, Bloomberg and Lighthouse Reports reported in December. The EU Commission said two months ago that member states would switch on some parts of EES in October.Over the last decade, the European Union has been trying to implement so-called smart borders to keep track of the increasing number of people traveling into the bloc. The creation of a decentralized agency like EU-Lisa in 2012 should have made developing these systems easier, said Francesca Tassinari, a lawyer and researcher at the University of the Basque Country and an expert on EU IT systems. 'But unfortunately the agency has not proven sufficient to manage the scale and complexity of the project.'Part of the reason for that, explained Leonardo Quattrucci, a senior fellow at the Center for Future Generations, is that the EU lacks people with experience in procuring and managing these contracts.'Procurement should be treated as a strategic function, but it's currently a compliance process,' he said. 'You need the owners of the process to be specialists.'