Audit Reveals Severe Cybersecurity Gaps in EU’s Schengen Information System II

Bloomberg reported on the audit revealing serious cybersecurity flaws within the Schengen Information System II, which is used by EU border forces to track illegal immigrants and suspected criminals. The audit raises concerns about the system's design and security practices, with Sopra Steria, the contractor responsible, taking years to resolve these issues.

The Schengen Information System II, a critical tool used by EU border control authorities to identify illegal immigrants and suspected criminals, is at the centre of a cybersecurity controversy. 

A recent audit has uncovered thousands of security vulnerabilities, many of which have been classified as "high" severity by the European Data Protection Supervisor. These flaws are said to expose the system to both external and internal security threats, potentially compromising its effectiveness and the safety of sensitive border security operations.

The findings, published by Bloomberg, have sparked significant concern within the European Union, particularly regarding the role of EU-Lisa, the agency responsible for overseeing the system’s security. With many of the issues going unresolved for years, this audit calls attention to broader concerns about the EU's reliance on third-party contractors and consulting firms, as well as the governance of critical border control technologies.

Audit unveils critical cybersecurity flaws in Schengen Information System II

A comprehensive audit of the Schengen Information System II has revealed critical vulnerabilities, leaving the system exposed to both internal and external cybersecurity threats. The European Data Protection Supervisor flagged thousands of flaws, many of which were deemed to be of "high" severity. 

These vulnerabilities put the security of one of the EU's most important border control systems at risk. The issues within the system range from insecure coding practices to inadequate access controls, all of which contribute to the system’s overall fragility.

The Schengen Information System II is used by border authorities to track illegal immigrants and suspected criminals, playing a crucial role in the management of the EU's external borders. Yet, the security flaws uncovered in the audit point to significant gaps in the system’s design and maintenance, raising doubts about its ability to protect critical data and functions.

Vulnerabilities Leave the System Exposed to Both External and Insider Threats

The audit has revealed two major concerns: an excessive number of administrator-level accounts and a weak security architecture vulnerable to external attacks. The report states that an "excessive number" of accounts with administrative access has created a situation where the system is susceptible to insider threats, making it easier for malicious actors within the organisation to exploit weaknesses.

The introduction of such a large number of privileged accounts without proper oversight significantly heightens the risk of a cyberattack. In addition to this, the system faces potential risks from hackers who could overload it or gain unauthorised access to sensitive data.

Sopra Steria's delayed response raises questions over security oversight

Sopra Steria, the contractor responsible for maintaining the Schengen Information System II, took a staggering range of time to address these security issues. Some vulnerabilities were left unresolved for more than five years, while others remained pending for over eight months. This delay in patching high-risk vulnerabilities has raised serious concerns about the efficiency of the contractor’s response and their ability to meet the security standards required by EU authorities.

EU-Lisa, the agency responsible for overseeing the Schengen Information System II, was also criticised for not informing its management board about these serious vulnerabilities. The audit highlights a pattern of inadequate oversight and a failure to act decisively, underlining the challenges the EU faces in safeguarding its critical infrastructure.

Expert opinion: Addressing security gaps in the development lifecycle

Nicolette Carklin, a technical specialist at SecureFlag, commented on the findings, noting that these vulnerabilities highlight fundamental shortcomings in the development and maintenance of business-critical software. 

She explained, “The recent audit, revealing thousands of 'high' severity vulnerabilities in the Schengen Information System II, goes to show that business-critical software can suffer from basic engineering oversights. These findings point to shortcomings that include insecure coding practices and inadequate access controls.”

Carklin further elaborated on the risks, highlighting the excessive number of administrator-level accounts. “The 'excessive number' of administrator-level accounts introduces an unacceptable insider threat risk. Teams should enforce least privilege principles, role based access controls, and use just?in?time privileges for maintenance tasks. Together with continuous monitoring of account activity, these measures drastically reduce the attack surface.”

The expert stresses that security must be embedded into every stage of the software development lifecycle. “There should be threat modelling during the design phase, secure coding practices during implementation, code reviews and automated testing in development, and careful configuration and access control in deployment,” Carklin concluded.

The findings of the audit underscore the importance of integrating security at every step of software development. The Schengen Information System II’s vulnerabilities serve as a stark reminder of the risks that arise when security is treated as an afterthought, rather than a foundational component of system design.

The EU must take these findings seriously and work toward stronger security practices, including more robust oversight of contractors, improved training for developers, and a more vigilant approach to access control. Only by embedding security into every stage of the software lifecycle can such critical systems be safeguarded against the ever-evolving landscape of cyber threats.