Report: EU border system SIS II with numerous security gaps

Contents

The information system for officials at EU borders, Schengen Information System 2 (SIS II), is supposed to report “illegal immigrants” and suspected criminals in real time. However, confidential e-mails and test reports attest to numerous security gaps and weaknesses in the software.

Bloomberg has obtained and analyzed these reports and emails together with Lighthouse Reports. The European Data Protection Supervisor (EDPS) had classified thousands of security gaps in a report from 2024 with a risk rating of “high”. In addition, an excessive number of accesses had admin rights for database access, an “avoidable vulnerability that could be abused by internal attackers”. There are no indications that data from SIS II has been accessed without authorization or stolen.

SIS II: better border protection

The aim of the Schengen Information System 2, which was introduced in 2013 after delays in development, is to strengthen the external borders using digital and biometric means. It enables member states to view and issue real-time alerts when flagged individuals, groups of suspected terrorists or people with outstanding arrest warrants attempt to cross EU borders.SIS II currently runs in an isolated network, but is to be linked to an “EU Entry/Exit System” (EES) in the foreseeable future, which will automate the registration of the hundreds of millions of annual visitors. EES is connected to the internet, making it easier for malicious actors to tap into the highly sensitive information in the SIS II database, the report warns, according to Bloomberg.

Alerts in SIS II can include photos of suspects and biometric data such as fingerprints at crime scenes. Since March 2023, the information also includes “return decisions”, i.e., legal decisions that mark people for deportation from the EU area. The database is estimated to contain 93 million entries, the majority of which relate to stolen objects such as vehicles and identity documents, but around 1.7 million entries are said to be linked to people. Of these, 195,000 are classified as potential threats to national security. Bloomberg discusses that individuals generally do not know what information about them is stored in SIS II until law enforcement responds. A data leak could make it easier for wanted people to avoid detection.

Slow closure of security gaps

The audit report attests that SIS II is vulnerable to cyber intrusions that allow malicious actors unauthorized, far-reaching access. The EU-Lisa agency is responsible for the management of large-scale IT projects such as SIS II. It has reported the vulnerabilities to the Paris-based contractor for the development and operation of SIS II, Sopria Steria. It took the developers between eight months and five and a half years to resolve the problems.

However, according to the report, the contract stipulates that vulnerabilities with a risk rating of “critical” and “high” will be patched within two months of a patch being released to close the gap. This apparently applies in particular to third-party components used in SIS II, for example from open-source projects. A company spokesperson told Bloomberg that SIS II, as a key component of the EU security infrastructure, is subject to strict legal, regulatory and contractual frameworks and that Sopria Steria's role is in line with these frameworks.

There was apparently also a dispute over fees to be paid for patching security vulnerabilities. The emails show that EU-Lisa had reported some security vulnerabilities to Sopria Steria in 2022, whereupon the company wanted to claim extra costs of 19,000 euros. However, EU-Lisa considers the costs to be covered by the monthly fees of between 519,000 and 619,000 euros per month for “corrective maintenance”.

Problems at the EU-Lisa agency

The report by the European Data Protection Supervisor (EDPS) also notes that 69 team members who are not directly employed by the EU had access to SIS II without having the necessary security clearance. The EDPS report also attributes some errors to EU-Lisa. The latter is struggling with organizational and technical security gaps and should draw up an action plan with a clear strategy for dealing with vulnerabilities. Bloomberg notes that some of SIS II's problems stem from the fact that EU-Lisa relies heavily on consulting firms instead of building up technical capabilities within the agency. But that's partly because the agency is under pressure to deliver projects that it doesn't have enough staff to handle, people familiar with the matter told Bloomberg.

The EU Entry/Exit System is apparently not running smoothly either. It was due to start in 2022 and has already been delayed several times due to technical difficulties. These are attributed to the French IT company Atos. It is now to be put into operation by the EU member states in October.

(dmk)