The software used by EU border security forces to prevent undocumented immigrants and suspected criminals from travelling in the region is allegedly riddled with holes and vulnerable to cyber attacks. The Second Generation Schengen Information System (SIS II) is an IT system and database shared between most EU states for law enforcement and public security purposes. And according to a new collaborative between Bloomberg and investigative non-profit Lighthouse Reports, SIS II — which has been used since 2013 — is plagued with “thousands” of cybersecurity issues, to the extent that an EU auditor flagged them to be of “high” severity in a report filed last year.
The report notes that there is no evidence of any data theft, but the “excessive number” of accounts that unnecessarily have access to the database means it could be fairly easily exploited. During its initial rollout, SIS II’s major additions included fingerprint technology and photographs in alerts, and in 2023 the software was with upgraded data and enhancements to its existing functionality, including the ability to signal when someone has been deported from a country. Bloomberg reporters spoke to Romain Lanneau, a legal researcher at an EU watchdog called Statewatch, who warned that an attack would be “catastrophic, potentially affecting millions of people.”
Right now SIS II operates within an isolated network, but will soon be rolled into the EU’s , which will make registering biometric details a requirement for individuals travelling to Schengen-associated areas when it comes into effect, likely later this year. As the EES will be connected to the internet, a hack on the SIS II database will become significantly easier.
Bloomberg and Lighthouse note that while most of the SIS II system’s estimated 93 million records pertain to objects such as stolen vehicles, there are around 1.7 million linked to people. It adds that people usually aren’t aware that their details are logged in the database until law enforcement gets involved, so if the information was leaked, wanted individuals may find it easier to evade the authorities.
SIS II’s development and maintenance is managed by a Paris-based contractor called Sopra Steria. According to the report, as vulnerabilities were reported, they took between eight months and upward of half a decade to resolve. This is despite it being contractually obligated to fix issues deemed to be of critical importance within two months of releasing a patch.
A spokesperson for Sopra Steria did not respond to Bloomberg regarding the detailed list of allegations concerning SIS II’s security holes, but said in a statement printed in the report that EU protocols had been adhered to. “As a key component of the EU’s security infrastructure, SIS II is governed by strict legal, regulatory, and contractual frameworks,” it said. “Sopra Steria’s role was carried out in accordance with these frameworks.”
EU-Lisa, the EU agency that oversees large-scale IT systems like SIS II, regularly farms out duties to external consulting firms as opposed to building its own in-house tech, according to the investigation. The audit accused the agency of not informing its management about security risks that had been flagged, to which it responded by saying that all systems under its management “undergo continuous risk assessments, regular vulnerability scans, and security testing.”
