SVT News was able to reveal on Thursday that the police and other authorities have happened to send internal e-mails and sensitive information to an unknown recipient, because polisen.se has been misspelled.

After the police were informed in late summer 2018, what was done and the authority reported to the Data Inspectorate about personal data incident. The authority also took a number of internal measures and also informed other authorities.

Despite this, employees at, among others, the Prison and Probation Service, the Swedish Tax Agency, the Coast Guard and Handelsbanken have accidentally spelled the police, and sent personal data and documents to an unknown recipient during the past six months.

In June 2019, an inmate at the Prison and Probation Service sent a transport plan detailing an upcoming rejection of two people to Thailand to the wrong police address. This several days before it was to be implemented.

"It's serious, we can't say anything else," says Security Manager Jörgen From Nordin.

One month later, an employee at the Coast Guard spelled a mistake and sent about 50 emails with crew and passenger lists to the wrong inbox.

"Take this seriously"

SVT Nyheter has taken note of the documents and can read over 2,000 persons' birthdates, passport details, and for staff also positions.

- We take it seriously. It should not go that way. But it is a small mistake that has had these consequences, says Mattias Lindholm, press officer at the Coast Guard.

- I think it's very good that it gets noticed. And that we have been able to take the measures that we should take when such an incident occurs and that we all may also become more aware of this.

Police Data Protection Ombudsman Mattias Råbe tells SVT News that it is the human factor that comes into play.

- We have gone out with information to the authorities closest to us, who usually send privacy-sensitive information with e-mail encrypted to the police and alerted them to this problem, but we have obviously not reached all, and it is difficult.

When asked why this type of communication is not sent encrypted within the police, Råbe responds that it does so, both within the authority and to others.

Required to spell correctly

Swedish authorities use a closed network called SGSI (Swedish Government Secure Intranet) to send protected e-mails between each other. But that means that the e-mail address is spelled correctly.

- If you misspell the addressee, it will not be included in this network, says Peter Jonegård, CERT-SE at the Swedish Agency for Social Protection and Contingency (MSB).

CERT-SE is Sweden's national "Computer Emergency Response Team" with the task of supporting the community in its work on managing and preventing IT incidents. But the responsibility lies ultimately with the user, that is, the sender, says both Peter Jonegård and IT security expert Anne-Marie Ekelund Löwinder.

So it is enough with a letter wrong to make it out of the secure government network?

- Yes, really, a letter wrong after trunk-that doesn't come in correctly. It is back to the user to double check. But should you use e-mail at all if it is sensitive, it is doubtful, says Peter Jonegård at CERT-SE.