Source code of Swedish e-government services has been leaked

https://darkwebinformer.com/full-source-code-of-swedens-e-government-platform-leaked-from-compromised-cgi-sverige-infrastructure/

47•tavro•1h ago

Comments

robertlagrant•46m ago

The source code is the least of it! From the article:

> citizen PII databases and electronic signing documents were also collected but are being sold separately

simonklitj•46m ago

Man, you've got to be a real low-life to sell all of that.

blell•31m ago

You've got to be a real low-life to collect all of that and put it in a database that is not air-gapped.

xorcist•24m ago

It's something akin to a service provider in SAML parlance, if we are to believe reporting. How can it be air-gapped?

And if we are to believe the hacked company, it is a development environment with test data in it. That remains to be seen, but is a risky thing to lie about. If there is production data in the leak, we will surely know about it.

lukan•17m ago

If you need the data, you cannot have it air gapped. And if it is air gapped, it is still easy to make misstakes.

dns_snek•5m ago

[delayed]

dijit•8m ago

The point of a system like this is specifically that it’s accessible and not air gapped.

Being able to validate that a citizen is a citizen and their ID is valid inherently requires the system be accessible

AdamN•45m ago

Yeah the source code isn't really such a big deal aside from helping to find vulnerabilities. The PII is a real disgrace.

worldsayshi•41m ago

I wonder if the focus on source code makes Swedish news slower to jump on this. I haven't seen it in domestic news yet. (Haven't looked too wide though)

ACS_Solver•38m ago

I saw it on SVT a few hours ago. DN and Expressen have also reported. The details about what exactly it is that got leaked are unclear (some report it's basically the code and certs responsible for BankID SSO) but this is certainly being reported domestically.

worldsayshi•35m ago

In Aftonbladet comments from CGI they seem to think that no production related data has been leaked:

https://www.aftonbladet.se/nyheter/a/ArvG0E/cgi-sverige-uppg...

jetsetman192•38m ago

Encryption keys are mentioned as well.

teroshan•38m ago

Does anyone know if there is the source code for the Swedish Armed Forces - Team Test [1] in the leak? It was a really fun collaborative flash-style game that got popular in my circle of friends for some reason back then.

[1] https://flashism.wordpress.com/2010/03/09/swedish-armed-forc...

steve1977•30m ago

Is this the open source stuff everyone is talking about?

rebolek•25m ago

Maybe they should go open source from the start, then there's nothing to leak.

P.S.: And strangers will sometimes help you find vulnerabilities (and sometimes be very obnoxious but that's not open source's fault).

Lionga•21m ago

How much GDPR fine will they pay? Oh wait it's gov so nothing / does no matter even if.

Who will take responsibility and get fired and lose all pension etc.? Oh wait no one.

Well the citizens need to suck it up.

Habgdnv•13m ago

Few years ago a huge NRA database was left public with admin/1234 or similar by the NRA. They government fined itself some non-trivial amount, then in the source/destination IBAN they put the same value and paid the fine. They managed to find someone to blame and it was not the person who left the database but the person who found it. Turns out that if you leave the PII of a whole country open to the public it is not your fault and you get to keep your cozy job. It is already unlawful to access that, so if someone access it - it is his fault - he broke the law.

Edit, i checked the facts: The Bulgarian government said that the it should pay too much to itself, and appealed the fine for few years until it somehow expired. And the guy (20 year at that time) they accused was later acquitted after they tried to ruin his life.

noosphr•19m ago

I like paper documents for this very reason.

It's very hard to steal everyone's documents when they weight about the same as a train.

latexr•12m ago

But it’s also very easy to lose all of them in a fire or flood. Different tradeoffs.

JensRantil•17m ago

I am a Swedish citizen. Lived here for almost 40 years. It is a bit unclear to be what the "the Swedish e-government platform" is. Would have been great if they at least could have published which domain name the service has.

corroclaro•15m ago

This keeps happening in Europe with these mega-IT suppliers repeatedly getting exposed using very bad development practices. Sweden most recently had a major breach back in 2024 when the other large IT services supplier TietoEvry had their data centres breached and claimed "not actually an issue of security".

Several government organisations / regional authorities and companies were down. Last I heard several medical journals for whole municipalities were just destroyed.

Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity, are suspicious of things like zero-trust, follow outdated engineering practices. Sigh.

bengale•8m ago

The tender process is what they are optimised for. They are professional project bidders with a bit of outsourced software development bolted on the back.

blin2h•12m ago

What forum is the original screenshot from? It reminds me of cs.rin.ru

Want to Win a New CanaKit Raspberry Pi 5 Starter Kit Pro?

Prompt engineering vs. context engineering: a practical guide for AI builders

Solder Ninja Pen: USB-powered soldering iron compatible with Weller RT tips

OSS Document Scanner

Line: Language with Intuitive and Natural Expression

40 Years of Wireless Evolution Leads to a Smart, Sensing Network

Analysis → Implementation → Reflection – a practical technique for agentic AI

Phoenix Arizona is likely to see its earliest 100f(38c) day on record, in March

Automating the Ticket-to-PR Cycle for Power Platform Code Apps with Azure DevOps

Hacking the Job Interview

"Agentic" is only a marketing term

Ask HN: Got cancer, a new job,new boss in less than a year What do I do now?

Gaming on the New MacBook Neo [video]

Ask HN: How are remote engineers outside US/EU landing paid startup contracts?

Show HN: Wardstone – Prompt injection and jailbreak detection API

Show HN: Who watches the watchmen? A public decision track record for AI agents

Selling Selfcontext.com Domain

The Controllability Trap: A Governance Framework for Military AI Agents

Each time an AI was given a task to invent best-seller web app

YC Startup School India

Fork: One CLI to Build Firmware for Any MCU

I mass-replaced FFmpeg's MJPEG decoder with Claude Code – 4K LOC, 8% the speed

Need feedback to build a product for founders to track decision-making

The AI-Powered Kubernetes IDE

AI toys for children misread emotions and respond inappropriately

9B parameter coding agent model fine-tuned on top of Qwen3.5-9B

Searching for a Well Designed API

Qualcomm exploit chain brings bootloader unlocking freedom to Android flagships

Things I do when I'm writing code that don't look like writing code

Show HN: Flowly – Smooth scrolling for third-party mice on macOS