Large numbers of police emails were sent in error by mistake - sensitive information was cleared

Both police and other government employees and private individuals have been sending large amounts of e-mail to an unknown recipient for over three years, in the belief that they have emailed the police.

In fact, messages have ended up with a private person, who has registered a domain whose spelling is similar to polisen.se. This is because the person has set up a function that automatically receives all messages regardless of what is in front of the @ sign, a so-called catch-all address.

Late summer 2018, just over 1.5 years after the first misspelled emails began to arrive, the person behind the address heard himself from the police - and they learned about the problem.

- I think it's a little unfortunate because it has had certain consequences. This has increased the risk that information will end up in the wrong place, says police data protection officer Mattias Råbe.

SVT Nyheter has, through a source, taken advantage of a large amount of the incorrectly sent e-mail. These are general questions and private messages, but also e-mails of a much more sensitive nature: information on crimes, victims and suspects, other vulnerable persons, ongoing police investigations, social security numbers and classified information and documents.

- Individuals have the right to place very high demands on the police when we need to handle their information, so this is a serious shortcoming, says Råbe.

The report on personal data incident that the police made to the Data Inspectorate in September 2018 states that these are more than 50 e-mails sent from the authority, of which about 10 contain “privacy-sensitive information, such as an application for a contact ban, a notification and photographs of suspects from a surveillance ".

SVT News has met Maria whose application for contact ban was sent incorrectly within the police.

- I feel damned. They are already in such a difficult situation, and then I think the police should handle it properly and do what they can instead of aggravating even more, she says.

But it is not just police officers who have neglected the keys and sent unprotected, sensitive emails in the wrong direction. For example, various employees at the Prosecutor's Office have emailed both a notification of contact ban and on at least two occasions in recent years also weekly lists of emergency numbers for lawyers and judges, with confidential telephone numbers.

- It is sensitive information. It sounds very scary if it goes ahead, says the employee of the Prosecutor's Office who sent the on-call lists.

Since it was discovered, the police have taken a number of measures and blocked the current domain for outgoing e-mail.

However, the measures have not prevented other authorities, companies and private individuals from continuing to email a misspelled police address without receiving an error message. SVT has taken note of misdirected e-mails dated as late as January 15 this year, ie one and a half years after the police became aware of the problem.

After SVT has asked the police questions about this, the authority has issued a press release stating that the police have initiated a preliminary investigation into suspected data breach and reported the incident to the Data Inspectorate.