The Schengen Information System II (SIS II) had thousands of cybersecurity issues that the European Data Protection Supervisor, an EU auditor, deemed to be of “high” severity in a 2024 report. It also found that an “excessive number” of accounts had administrator-level access to the database, creating “an avoidable weakness that could be exploited by internal attackers”.
While there is no evidence that any SIS II data was accessed or stolen, a breach “would be catastrophic, potentially affecting millions of people”, said Romain Lanneau, a legal researcher at EU watchdog Statewatch.
SIS II, which was first implemented in 2013, is part of an EU-wide effort to strengthen the bloc’s external borders using digital and biometric technologies at a moment in which governments around the world are taking tougher stances on migration. The system allows member states to issue and view real-time alerts when tagged individuals, a group that includes terror suspects and people with outstanding arrest warrants, attempt to cross an EU border.
SIS II, which currently runs on an isolated network, will eventually be integrated with the EU’s Entry/Exit System, which will automate registration of the bloc’s hundreds of millions of annual visitors. EES will be connected to the internet, which could make it easier for hackers to access the highly sensitive SIS II database, the report warns.
Alerts issued by SIS II can contain photos of suspects and biometric data such as fingerprints taken from crime scenes. Since March 2023, the alerts have also incorporated so-called “return decisions” – legal rulings that flag a person for deportation. While the vast majority of the system’s estimated 93 million records relate to objects such as stolen vehicles and identity documents, about 1.7 million are linked to people.
Of those, 195,000 have been flagged as possible threats to national security. Since individuals don’t generally know that their information is in SIS II until law enforcement acts on it, a leak could potentially make it easier for a wanted person to evade detection.
The audit determined that SIS II was vulnerable to hackers overwhelming the system, as well as attacks that could enable outsiders to gain unauthorized access, documents show.
A spokesperson for EU-Lisa, the agency that oversees large-scale IT projects such as SIS II, said the agency couldn’t comment on confidential documents, but that “all systems under the agency’s management undergo continuous risk assessments, regular vulnerability scans, and security testing.”
source