Thousands of serious security vulnerabilities have been found in the Schengen Information System II (SIS II), which is used by EU border agencies to track illegal migrants and criminal suspects, according to confidential 2024 audit reports from the European Data Protection Supervisor (EDPS) obtained by Bloomberg.
The audit found an "excessive number" of accounts with administrator privileges, posing a risk of insider attacks. The system is also vulnerable to hacker overload and unauthorized access. While there is no evidence of a data breach, Statewatch researcher Romain Lannot warns that the breach could be "catastrophic" for millions of people.
Launched in 2013, SIS II contains around 93 million records, including 1.7 million profiles of individuals, 195,000 of whom are identified as threats to national security. The system stores biometric data such as fingerprints and photos, and, from 2023, deportation decisions. In the future, SIS II will be integrated into the internet-connected Entry/Exit System (EES), which could increase the risks.
The system contractor, Sopra Steria, was supposed to fix critical vulnerabilities within two months, but it took between eight months and more than five and a half years. EU-Lisa, the agency managing the project, failed to inform its board of directors about the problems and relied excessively on consultants. The audit also found that 69 external employees had access to the system without proper security clearance.
A Sopra Steria spokesman said the company acted in accordance with EU protocols. EU-Lisa stressed that it conducts regular security checks and eliminates risks depending on their criticality.
SIS II is part of the EU's efforts to create "smart borders." But experts, including Francesca Tassari of the University of the Basque Country, say EU-Lisa is struggling to cope with the complexity of the projects due to a lack of qualified staff and weak contract management.