Europe's Schengen border security system vulnerable to hacks. Audit warns of catastrophic beach risk
Remove Ads
Tired of too many ads?
Remove Ads
Tired of too many ads?
Remove Ads
An information-sharing system used by EU border forces to flag illegal immigrants and suspected criminals in real time was rife with software and security vulnerabilities, according to emails and confidential audit reports obtained by Bloomberg News and investigative newsroom Lighthouse Reports.The Schengen Information System II had thousands of cybersecurity issues that the European Data Protection Supervisor, an EU auditor, deemed to be of 'high' severity in a 2024 report. It also found that an 'excessive number' of accounts had administrator-level access to the database, creating 'an avoidable weakness that could be exploited by internal attackers.'While there is no evidence that any SIS II data was accessed or stolen, a breach 'would be catastrophic, potentially affecting millions of people,' said Romain Lanneau, a legal researcher at EU watchdog Statewatch.SIS II, which was first implemented in 2013, is part of an EU-wide effort to strengthen the bloc's external borders using digital and biometric technologies at a moment in which governments around the world are taking tougher stances on migration. The system allows member states to issue and view real-time alerts when tagged individuals, a group that includes terror suspects and people with outstanding arrest warrants, attempt to cross an EU border.SIS II, which currently runs on an isolated network, will eventually be integrated with the EU's Entry/Exit System, which will automate registration of the bloc's hundreds of millions of annual visitors. EES will be connected to the internet, which could make it easier for hackers to access the highly sensitive SIS II database, the report warns.Alerts issued by SIS II can contain photos of suspects and biometric data such as fingerprints taken from crime scenes. Since March 2023, the alerts have also incorporated so-called 'return decisions' — legal rulings that flag a person for deportation. While the vast majority of the system's estimated 93 million records relate to objects such as stolen vehicles and identity documents, about 1.7 million are linked to people.Of those, 195,000 have been flagged as possible threats to national security. Since individuals don't generally know that their information is in SIS II until law enforcement acts on it, a leak could potentially make it easier for a wanted person to evade detection.The audit determined that SIS II was vulnerable to hackers overwhelming the system, as well as attacks that could enable outsiders to gain unauthorized access, documents show. When EU-Lisa, the agency that oversees large-scale IT projects such as SIS II, reported these issues to Sopra Steria, the Paris-based contractor responsible for developing and maintaining the system, the company took between eight months and more than five-and-a-half years to fix the problems, according to the report and emails between EU employees and Sopra Steria.Under the terms of its contract with EU-Lisa, Sopra Steria was obliged to fix 'critical and high' software vulnerabilities within two months of a patch being released, emails and two audit reports show.A spokesperson for Sopra Steria declined to respond to a detailed list of allegations about security vulnerabilities in SIS II, but said in a statement that the company followed EU protocols.'As a key component of the EU's security infrastructure, SIS II is governed by strict legal, regulatory, and contractual frameworks,' the spokesperson wrote. 'Sopra Steria's role was carried out in accordance with these frameworks.'Emails seen by Bloomberg and Lighthouse Reports showed that EU-Lisa employees flagged cybersecurity issues to Sopra Steria on several occasions in 2022. Sopra Steria argued in one email exchange that patching some of the vulnerabilities would cost an extra €19,000. In response, EU-Lisa said the work should be covered by the existing contract, which included a fee of between €519,000 and €619,000 per month for 'corrective maintenance,' according to a document detailing Sopra Steria's fees for the project.The EDPS audit also noted that 69 team members not employed directly by the EU had access to SIS II despite lacking the necessary security clearance. It's not clear if they were Sopra Steria employees or other contractors.The audit blamed some lapses on EU-Lisa, which did not inform its management board about security vulnerabilities after they were identified. In the documents, auditors described the EU agency as struggling with 'organizational and technical security gaps' and recommended that it set up an action plan with a 'clear strategy' for addressing vulnerabilities. In addition to SIS II, the agency maintains a database of asylum seekers' fingerprints, called Eurodac, and a visa waiver system similar to that of ESTA in the US.A spokesperson for EU-Lisa said the agency couldn't comment on confidential documents, but that 'all systems under the agency's management undergo continuous risk assessments, regular vulnerability scans, and security testing.''Any risks identified are assessed, prioritized, and addressed based on their criticality, with appropriate mitigation measures defined and closely monitored,' the spokesperson added.Some of the problems with SIS II stemmed from EU-Lisa's tendency to rely heavily on consulting firms rather than build technological capabilities in-house, according to three people familiar with the matter, who asked not to be identified as they weren't authorized to speak publicly. This was partly because of pressure to deliver on projects that the agency did not have the staff to complete quickly.The Entry/Exit System, the high-tech border system intended to automate visitor registration in Europe — and another project overseen by EU-Lisa — has also been struggling. The system was supposed to launch in 2022, but has been delayed multiple times due to technical problems largely attributed to the French IT firm Atos, Bloomberg and Lighthouse Reports reported in December. The EU Commission said two months ago that member states would switch on some parts of EES in October.Over the last decade, the European Union has been trying to implement so-called smart borders to keep track of the increasing number of people traveling into the bloc. The creation of a decentralized agency like EU-Lisa in 2012 should have made developing these systems easier, said Francesca Tassinari, a lawyer and researcher at the University of the Basque Country and an expert on EU IT systems. 'But unfortunately the agency has not proven sufficient to manage the scale and complexity of the project.'Part of the reason for that, explained Leonardo Quattrucci, a senior fellow at the Center for Future Generations, is that the EU lacks people with experience in procuring and managing these contracts.'Procurement should be treated as a strategic function, but it's currently a compliance process,' he said. 'You need the owners of the process to be specialists.'
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
India Today
an hour ago
- India Today
Day off cancelled, Delhi employees forced to attend PM's rally: AAP shares video
The Aam Aadmi Party on Sunday accused the BJP of forcing Municipal Corporation of Delhi (MCD) employees to attend Prime Minister Narendra Modi's rally in the city. The party alleged that the sanitation workers and other staff's Sunday-off was cancelled and were threatened with suspension or dismissal if they refused to Minister Modi addressed a gathering in Rohini, inaugurated the Dwarka Expressway and the Urban Extension Road-II (UER-II), projects worth nearly Rs 11,000 crore. PM Modi also addressed a rally after the also shared videos on social media to support its claims. In one clip, a speaker alleged, 'By issuing a Tughlaqi order, they were told that whoever does not come today will be terminated by the DC, or they will be suspended. This is the kind of open threats and hooliganism that the BJP government in Delhi is doing with our MCD sanitation worker brothers today.'Boycott .... AAP (@AamAadmiParty) August 17, 2025 Another video showed a sanitation worker describing how he was forced to attend despite personal family commitments. He claimed that workers were 'kept sitting under pressure' and warned against disobeying Delhi Education Minister Manish Sisodia called the move an insult to teachers. 'Sending teachers in Delhi to clap at Modi ji's rally under government orders is a gross insult to teachers by the BJP. Teachers are nation-builders, not a crowd for some rally,' he said. He contrasted the BJP's approach with the AAP government's record of sending teachers to Finland and Cambridge for training, alleging that the ruling party 'has reduced them to merely clapping.", , Manish Sisodia (@msisodia) August 17, 2025AAP state president Saurabh Bhardwaj, addressing a press conference, claimed that employees were pressured into attending. 'To fill the shortage of BJP workers, employees of MCD and other departments have been pressurised and sent to the rally venue,' he further alleged that sanitation workers, malaria department staff, licenced branch employees, and MCD school teachers were transported to the venue in .... AAP (@AamAadmiParty) August 17, 2025Atishi, Leader of the Opposition in the Delhi Assembly, also accused the BJP of misusing MCD staff. 'BJP has made Safai Karamcharis (sanitation workers) their political workers. The BJP should answer. On what basis were the Safai Karamcharis called in the name of duty on Sunday and sent to the rally? Is it the job of MCD to increase the crowd in Modi ji's rally?' she asked on X.- EndsMust Watch
The Hindu
an hour ago
- The Hindu
Serbia's populist leader vows tough response to protesters following riots
Serbia's President Aleksandar Vucic on Sunday (August 17, 2025) announced tough measures against anti-government protesters following days of riots in the streets throughout Serbia that have challenged his increasingly autocratic rule in the Balkan country. In one of his frequent TV addresses to the public, Mr. Vucic accused the anti-government demonstrators of 'pure terrorism' and reiterated his claims that months of persistent protests against his rule have been orchestrated in the West and aimed at destroying Serbia. 'Our country is in grave danger, they have jeopardised all our values, normal life, each individual,' Mr. Vucic said, alleging an elaborate scheme that would eventually install 'anarcho-leftist' authorities in the future. He did not offer any concrete evidence for his claims. 'Unless we undertake tougher steps it is a question of days when they (protesters) will kill someone,' Vucic said. 'I am saying this for history.' The stern warnings came after five consecutive nights of clashes between the protesters on one side and police and Vucic's loyalists on the other. Angry protesters on Saturday evening torched Vucic's governing Serbian Progressive Party offices in a town in western Serbia, and of other ruling coalition allies. The demonstrators on Saturday evening also clashed with police in Belgrade, the capital, and in the northern city of Novi Sad. Riot officers used tear gas against demonstrators who hurled stun grenades, flares and bottles at them. Mr. Vucic did not specify what the state response that he said would come within a week. But he stressed that a state of emergency is not imminent. Scores of people have already been detained and injured in the past days, while police have faced accusations of excessive force and arbitrary detentions of protesters. 'You will witness the determination of the state of Serbia,' Vucic said. 'We will use everything at our disposal to restore peace and order in the country.' The clashes this week marked a major escalation following more than nine months of largely peaceful demonstrations that started after a concrete canopy collapsed at a train station in Serbia's north, killing 16 people. Many in Serbia blamed the tragedy on alleged widespread corruption in state-run infrastructure projects that they say fueled poor renovation work. The Serbian president has faced accusations of stifling democratic freedoms while allowing organised crime and corruption to flourish. He has denied this. Serbia is formally seeking EU membership, but Mr. Vucic has maintained strong ties with Russia and China. On Sunday, he praised Russia's backing for his government against what he called a 'colored revolution' against his government.
&w=3840&q=100)
First Post
an hour ago
- First Post
Putin agrees to US-Europe plan for NATO-style security guarantees for Ukraine, says Trump envoy
Russia's Vladimir Putin agreed at his summit with President Donald Trump to allow the United States and its European allies to offer Ukraine a security guarantee resembling NATO's collective defence mandate as part of an eventual deal to end the 3 1/2year war in Ukraine. Russian President Vladimir Putin has agreed in principle to allow the United States and its European partners to extend Ukraine a form of collective security guarantee modelled on NATO's Article 5, according to U.S. special envoy Steve Witkoff. Speaking on CNN's State of the Union on Sunday, Witkoff described the concession as 'game-changing,' noting that this was the first time Moscow had accepted the possibility of such protections. 'We were able to win the following concession: that the United States could offer Article 5-like protection, which is one of the real reasons Ukraine wants to be in NATO,' he said. STORY CONTINUES BELOW THIS AD Read Also: A non-NATO pact for Ukraine? US floats Western alliance-style security guarantees for Kyiv Article 5 of NATO stipulates that an attack on one member is considered an attack on all. While details remain scarce, the offer could provide a pathway around Putin's longstanding opposition to Ukraine joining the Western military alliance. Witkoff, who attended Friday's talks in Alaska alongside Secretary of State Marco Rubio, also said Russia agreed to legislate against infringing the sovereignty of other European nations. 'There was plenty more,' he added, without giving specifics. Outlining some of the details about the private discussions, Witkoff also said Russia had agreed to enact a law that it would not 'go after any other European countries and violate their sovereignty. And there was plenty more.' European Commission President Ursula von der Leyen, speaking at a news conference in Brussels with Ukrainian President Volodymyr Zelenskyy, applauded the move. 'We welcome President Trump's willingness to contribute to Article 5-like security guarantees for Ukraine and the 'Coalition of the willing' — including the European Union — is ready to do its share,' she said. Zelenskyy thanked the United States for recent signals that Washington was willing to support such guarantees, but that much was unclear. 'It is important that America agrees to work with Europe to provide security guarantees for Ukraine,' he said, 'But there are no details how it will work, and what America's role will be, Europe's role will be and what the EU can do, and this is our main task, we need security to work in practice like Article 5 of NATO, and we consider EU accession to be part of the security guarantees,' he said. STORY CONTINUES BELOW THIS AD Witkoff defended Trump's decision to abandon his push that Russian agree to an immediate ceasefire, which Trump had set as a benchmark going into the meeting. Witkoff said the Republican president had pivoted toward a peace deal because so much progress was made. 'We covered almost all the other issues necessary for a peace deal,' Witkoff said, without elaborating. 'We began to see some moderation in the way they're thinking about getting to a final peace deal.' Rubio, who appeared on three Sunday news shows, said there was not going to be any kind of truce reached because Ukraine was not at the summit. 'Now, ultimately, if there isn't a peace agreement, if there isn't an end of this war, the president's been clear, there are going to be consequences,' Rubio said on ABC's 'This Week.' 'But we're trying to avoid that.' Rubio, who is also Trump's national security adviser, said he did not believe imposing new U.S. sanctions on Russia would force Putin to accept a ceasefire. STORY CONTINUES BELOW THIS AD 'The minute you issue new sanctions, your ability to get them to the table, our ability to get them to table will be severely diminished,' Rubio told NBC's 'Meet the Press.' He also said 'we're not at the precipice of a peace agreement' and that getting there would not be easy and would take a lot of work. 'We made progress in the sense that we identified potential areas of agreement, but there remains some big areas of disagreement. So we're still a long ways off,' Rubio said. Zelenskyy and Europeans leaders, who heard from Trump after the summit, are scheduled to meet with him at the White House on Monday. 'I think everybody agreed that we had made progress. Maybe not enough for a peace deal, but we are on the path for the first time,' Witkoff said. He added: 'The fundamental issue, which is some sort of land swap, which is obviously ultimately in the control of the Ukrainians — that could not have been discussed at this meeting' with Putin. 'We intend to discuss it on Monday. Hopefully we have some clarity on it and hopefully that ends up in a peace deal very, very soon." STORY CONTINUES BELOW THIS AD With inputs from agencies
