Ok, some important context for non-Swedes.
Anyone can get access to all Swedish (non-protected but those are a very VERY small subset) personal identification numbers by simply signing an agreement with SPAR[1] (the Swedish national people database). Identification numbers per se are not particularly useful or hard to get, they are effectively public information. Using SPAR you can also get the home (and any additional) addresses of individuals<p>A Swedish citizen database is... you know. fun. But not exactly hard to get hold of.<p>[1] <a href="https://www.statenspersonadressregister.se/master/start/english-summary/" rel="nofollow">https://www.statenspersonadressregister.se/master/start/engl...</a>
I think this is good to highlight for non-Scandinavians.<p>Scandinavian countries are extremely open and transparent in a way that might be shocking for Americans. For example, in Norway, I can check nearly anyone's brokerage account holdings, addresses, phone numbers, etc. on public websites. I can in theory look up anyone's tax filings.<p>Personal identification numbers do not tend to be considered private in the same way that social security numbers in the US are.
We're so open, we even leak our government source code _ourselves_ <a href="https://github.com/navikt" rel="nofollow">https://github.com/navikt</a>
I heard a rumor that some people use this to check their neighbour's revenue and sometimes make snark comments if one of them has a high revenue but lives in a "average revenue" part of town.<p>They'd say that if you earn a lot, you shouldn't take a cheap housing.<p>Any truth to that?
> They'd say that if you earn a lot, you shouldn't take a cheap housing.<p>I think a lot of "humbleness" is also enforced this way, in the US seems normal (or even some European countries) to flaunt your wealth, and others seem more or less OK with it, while in Sweden it's much more socially unacceptable to in any sort of way brag about being rich, or showing that off. Humble-richness is OK and tolerated, but flagrantly displaying your wealth among the public is generally frowned upon.<p>So together with that, living in a average neighborhood but have a house that sticks out as clearly "rich person's house" will gain you evil looks from your neighbors, as you're "supposed to" live in a different neighborhood where neighbors look more equal, otherwise you again stick out, which is cause for friction culturally.<p>Lots of culture in Sweden is less about "lets correctly solve the problem" and more "lets ensure the gaping holes aren't so visible for everyone, so we can ignore it properly".
There used to be a lot more of that, but a system was put in place where you have to identify yourself with electronic ID to access the information, and the information is logged so the other party can see it.<p>Nowadays I think mostly journalists use it to pull up information about politicians and other people that are in the public spotlight. There are of course the yearly "richest people in Norway" lists in various categories.
> There used to be a lot more of that, but a system was put in place where you have to identify yourself with electronic ID to access the information, and the information is logged so the other party can see it.<p>Yeah, kind of a fake solution, request it via Ratsit or whatever and all they get to see is that someone used Ratsit, but not who actually requested it.<p>Same goes for criminal cases, using Krimfup or whatever just leads to the service's name "leaking", while you can use fake details to sign up for both Ratsit and Krimfup.
Yes and no. You get notified if someone else actually asks for your revenue info and so in practice nobody actually does it.
Making snark comments about that sounds very unlikely. More likely they'd have respect for someone living frugally and not showing off. See <a href="https://en.wikipedia.org/wiki/Law_of_Jante" rel="nofollow">https://en.wikipedia.org/wiki/Law_of_Jante</a>
We don't talk to our neighbours.
What is the harm in this case? Shit people are shit even without information. They would be snark about something else then.
Yep, that tracks.<p>There's also the underlying current of Jantelagen (Law of Jante) <a href="https://en.wikipedia.org/wiki/Law_of_Jante" rel="nofollow">https://en.wikipedia.org/wiki/Law_of_Jante</a>
How do they have handle identity thefts, spams, etc.?<p>There are so many ways to misuse these data. Are the residents not concerned about this?
The root cause of identity theft in USA and some other places is the lack of "proper" national identity and the associated use of various personal "secrets" (not that secret) for identity verification because there are no good easy other ways.<p>Businesses in Scandinavia and many other countries would not treat someone knowing your personal information as any evidence of identity (because it's not); having all that information is not sufficient to impersonate you there - identity theft does happen but it would require stealing or forging physical documents or actual credentials to things like bank accounts; knowing all of what your mother or spouse would know is not enough to e.g. get credit or get valuable goods in your name.
The US has no single national photo + chip ID card that is available to everybody, for free, including illegal and semi-illegal immigrants and homeless people with no access to their birth certificate and such.<p>It's completely crazy to me that you can be "out of status" with the USCIS and still get a social security card and a bank account, for example.
"Identity theft" is newspeak right up there with "intellectual property". It serves the sole purpose of diminishing real theft. If someone says "we gave all your money to this other guy, but it's not our fault because he had stolen your identity" doesn't make it so. There are cases of mistaken identity, and with criminal intentions, but there is also an enormous majority of not checking identity because someone was lazy.
Just knowing someone's name, address, and ID number isn't enough to like, open a bank account in their name or such. You'd need a proper ID card or passport for that. Similar thing with most businesses if you try to pay for some product with credit, they won't accept just a few digits and a pinky promise, you'll need to identify yourself properly (the BankID app for instance).
We just change our identity every three years or so.<p><a href="https://www.youtube.com/watch?v=BK2gKuqbOHo" rel="nofollow">https://www.youtube.com/watch?v=BK2gKuqbOHo</a>
> How do they handle identity thefts<p>By just accepting it as a normal fact of life that you will have some random stuff ordered in your name sooner or later with an invoice you'll have to dispute. Happened to a relative of mine, police do not care unless they order things above a certain value, without a police report you cannot get free ID protection, and then you'll have to sit for a long time in phone queues trying to cancel a subscription for a streaming service or whatever they ordered while get thrown around by support reps who go "you SURE you or someone in your family didn't order this?"
That sounds rather unacceptable.
Yes, I don't think anyone truly wants it to be like this. But it's just what happens.<p>You of course cannot access and empty out someone's bank account this way, you're safe in that regard. But you need to dispute the invoices as soon as possible to show that it is fradulent, so you don't end up needing to actually pay for it. Or get debt collectors after you.
It basically never happens. I don't know where the GP got their story from.
I am Swedish and never had this happen to me. Never had random things show up or ordered for me at all. What would the point be, you have to pay or get an invoice? For Klarna they use BankID so only <i>I</i> can order an invoice for myself in reputable shops.<p>I am in my 30s btw so I was alive before BankID and it was a worse time. Remember my parents paid bills with paper.
It's just a unique ID of a person, it's not a password. I don't see how you can be confused by this.
And then there are widespread amounts of identity theft and mapping out of minorities, but you may sleep well as everyone knowing where you do so is an important step in making sure corruption is no more, don't think too much about it.
Not open but stupid, IMHO.
<i>Identification numbers per se are not particularly useful or hard to get, they are effectively public information</i><p>They are absolutely trivial to get. One click on mrkoll.se.
> by simply signing an agreement with SPAR<p>But that seems like a completely different thing than a nefarious and anonymous person or group having access to the entire database.
Swedish news has some quotes from authorities that nothing of value has been leaked, and a quote from the service CGI that it only concerns test servers.[1][2]<p>[1]: <a href="https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-information-har-lagts-ut-pa-darknet" rel="nofollow">https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform...</a><p>[2]: <a href="https://www.cgi.com/se/sv/news/cybersakerhet/cgi-informerar-om-incident-kopplad-till-interna-testservrar" rel="nofollow">https://www.cgi.com/se/sv/news/cybersakerhet/cgi-informerar-...</a>
I dont know nothing about this particular leak, but I have worked at Skatteverket.<p>Let me just say, the likelihood that CGI would have any _actual_ real personal data is close to 0%, at least on servers outside of Skatteverket. I had access to absolutely nothing even working inside. I have never worked in a more closed-down system, maybe excepting the swedish military "complex". No, actually that was less locked down in a way, at least once you were "inside" the system.
As a Swede this is giving me shudders, the statements reeks of paper-pushers and certification-chasers that don't seem to understand fundamental risks of how how threat actors can move around once having established footholds, hopefully there's more competent people down in the trenches.
Are we allowed to vibe code some positive changes and submit them for review?
The source code is the least of it! From the article:<p>> citizen PII databases and electronic signing documents were also collected but are being sold separately
Yeah the source code isn't really such a big deal aside from helping to find vulnerabilities. The PII is a real disgrace.
Man, you've got to be a real low-life to sell all of that.
Encryption keys are mentioned as well.
I wonder if the focus on source code makes Swedish news slower to jump on this. I haven't seen it in domestic news yet. (Haven't looked too wide though)
What does "electronic signing documents" mean? Keys used for signing? Or merely some documents that were signed with electronic signing?
To the best of my understanding it means that a system made by CGI for digital signing of documents (as in: you get something like a PDF from a government agency and need to digitally sign it and send it back) has had its source code and/or some data belonging to it leaked.<p>Skatteverket, the Swedish tax authority, has been quoted in media as confirming that they use CGI's system for digital document signing but that none of their data nor that of any citizens has been leaked.<p><a href="https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-information-har-lagts-ut-pa-darknet" rel="nofollow">https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform...</a><p>"One of the government agencies that uses CGI’s services is the Swedish Tax Agency, which was notified of the incident by the company. However, according to the Swedish Tax Agency, its users have nothing to worry about.<p>“Neither our data nor our users’ data has been leaked. It is a service we use for e-signatures that has been affected, but there is no data from us or our users there,” says Peder Sjölander, IT Director at the Swedish Tax Agency."
So if no data was leaked from the tax agency or from the users, then the leaked "digital signing documents" must have belonged to the only remaining party, which is CGI, so perhaps they were just some marketing documents about the benefits of their digital signing service?
The original phrasing from the attacker, from the website that put the data up for download/sale, was ”documents (for electronic signing)” which implies that they’re documents that would be signed in said system. I would take all of this with a large helping of salt though. CGI claims it’s not real production data anyway; maybe it is and maybe it’s not.<p>The best case scenario is in line with what CGI claims: these are lorem ipsum fake docs from an old git repo for a test instance of the system.
If that is case, then it would have been wrong from the beginning for any government to keep hold of the private keys for the signature on my citizen card.<p>Because in that case they can sign documents on my behalf without my permission. In a court case, it would be near impossible for me to prove that the government gave my private key to someone else and that it wasn't me signing an incriminating document.
I apparently didn't phrase that very well. If what is the case? I was trying to ask which case was the case, not trying to claim that something specific was the case.<p>I'm familiar with electronic signatures, and I know what documents are, but I have never heard the phrase "electronic signing documents" and don't know what that is supposed to mean. What kind of documents? Documents <i>about</i> signing, documents that <i>were signed</i>, documents in the sense that files containing keys could be considered documents, or what?
In Portugal we were early adopters for digital signatures on citizen cards.<p>You use the card reader, insert your gov-issued identification and can sign PDF papers which have legal validity since the private key from the citizen card was used.<p>Now imagine someone signing random legal documents with your ID for things like debts, opening companies or subscritions to whatever.
We might've lucked out here, there is some signature data on ID cards today and official _plans_ to make a government backed signing service, but practically _nobody_ uses them in practice to just revoking all those keys will be a minor issue.<p>Currently most Swede's use a private bank consortisum controlled ID solution for most logins and signatures.
I am a Swedish citizen. Lived here for almost 40 years. It is a bit unclear to be what the "the Swedish e-government platform" is. Would have been great if they at least could have published which domain name the service has.
It's not going to be a specific service or agency with a domain name, it's going to be services that are either internal and used by employees only, or that are integrated into other systems that you may be interacting with without knowing it.
I would guess that skatteverket.se, polisen.se, kronofogden.se are among those affected by the leak.
Some other comments mention BankID private keys . That would be the biggest disaster as that’s what everyone uses to identify themselves “securely” on all government services.
That's an interesting <i>guess</i> that I assume is based on absolutely nothing?
Yes, nothing and the facts that these are government services, they use BankID and they updated their websites with "maintenance work" announcements for tomorrow, Saturday. For kronofogden.se there was no maintenance planned just half an hour ago. Knowing swedish tendency to plan things months ahead I would _guess_ that this maintenance work has been rushed due to some circumstances.
Nothing in particular, based on my understanding CGI a Swedish IT consultant company was hacked, they have contracts for and are the maintainers and developers of a bunch of various government departments IT services.
There is no such thing according to Peder Sjölander, IT Director at the Swedish Tax Agency:<p><a href="https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-information-har-lagts-ut-pa-darknet" rel="nofollow">https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform...</a><p><i>– Neither our data nor our users' data has been leaked. It is a service we use for e-signatures that has been affected, but there is no data from us or our users there, says</i><p><i>The information that source code was leaked from a joint government e-platform is not true, according to Peder Sjölander.</i><p><i>– There is no such platform. I think the perpetrators in this want people to feel insecure. We feel confident that our data is safe and we have the situation under control before the tax return period opens next week.</i>
Does anyone know if there is the source code for the Swedish Armed Forces - Team Test [1] in the leak? It was a really fun collaborative flash-style game that got popular in my circle of friends for some reason back then.<p>[1] <a href="https://flashism.wordpress.com/2010/03/09/swedish-armed-forces-team-test/" rel="nofollow">https://flashism.wordpress.com/2010/03/09/swedish-armed-forc...</a>
Maybe they should go open source from the start, then there's nothing to leak.<p>P.S.: And strangers will sometimes help you find vulnerabilities (and sometimes be very obnoxious but that's not open source's fault).
When I worked for the government in Norway, it slowly changed to all code being developed in the open. 3k repos here now: <a href="https://github.com/orgs/navikt/repositories" rel="nofollow">https://github.com/orgs/navikt/repositories</a><p>When I started it was a big security theater. Had to develop on thin clients with no external internet access, for instance. Then they got some great people in charge that modernized everything.<p>Only drawback is when you quit, you have to make sure to unsubscribe from everything, hehe. When quitting a private company I was just removed from the github org. Here I was as well, but I was still subscribed to lots of repos, issues, PRs,heh.
Yeah. In these cases it's not like anyone is going to spin up their own instance and start competing with you.<p>Government / handles society-critical things code should really be public unless there are _really_ good reasons for it not to be, where those reasons are never "we're just not very good at what we're doing and we don't want anyone to find out".
CGI has a lot of consultants in both government and municipal places (i've worked at both), and some of our main tools like time reporting was built as a addon to our personnel system by consultants at CGI. half my team are consultants from CGI, 4 out of 7 people.<p>also: hi tavro! it's been a few years, how have you been :D
Anything taxpayer funded should be open source to begin with.
Similarly taxpayer funded contracts for any type of infrastructure (obviously I have digital infrastructure powered by proprietary solutions in mind) should only be awarded if interoperability is guaranteed to prevent lock-in and abuse.
<a href="https://publiccode.eu" rel="nofollow">https://publiccode.eu</a>
Most important question: do Swedish e-government services use curl?
I like paper documents for this very reason.<p>It's very hard to steal everyone's documents when they weight about the same as a train.
But it’s also very easy to lose all of them in a fire or flood. Different tradeoffs.
> it’s easy to lose all of them in a fire or flood<p>Wouldn't a fire or flood affect everything? Both data stored on paper and hard disks?
The good news is you can keep offline, offsite digital copies, which is much more convenient than offsite paper copies.
I think what the comment meant was that it's harder for an individual to lose their paper documents compared to losing the electronic ones. It just shifts who's responsible for keeping them safe
This is a feature not a bug.
Problems with well-known solutions 100 years ago:<p>"Fireproof file rooms and cabinets in the 1920s were crucial for protecting business and government records during the rapid expansion of the industrial era. The era saw a massive shift from flammable wooden office furniture to robust, steel-based storage designed to resist both fire and water damage."<p>That's a Google AI summary - but I've been in a fair number of buildings with such rooms. Thick concrete walls, heavy steel fire doors, no other openings, <i>nothing</i> but steel file cabinets in 'em, sealed electric light fixtures that look like they belong in a powder magazine (where one spark could kill everyone) - it's really simple tech.<p>And "high ground" was a reliable flood protection tech several centuries before that.
Then add “earthquake” to the list, or “domestic terrorists or foreign country bombing the building”. Steelman the argument. The point isn’t “just fire and water specifically”, we’re not playing Pokémon.<p>We have several historic examples of records being lost in disasters, and way more recent than 100 years ago.<p><a href="https://en.wikipedia.org/wiki/National_Personnel_Records_Center_fire" rel="nofollow">https://en.wikipedia.org/wiki/National_Personnel_Records_Cen...</a><p>It makes no difference that we could’ve prevented that with better building construction. We didn’t, and hindsight does not bring the records back. We should plan for the world we want but cannot ignore the world we have.<p>I’m not defending digital as always better or criticising physical. Like I said, <i>different tradeoffs</i>, meaning there are advantages and disadvantages to both, there’s no solution which is better in all situations.
I stuck to the threats you mentioned. Paper in a file room is more slightly more quake-resistant and bomb-resistant than digital. But slower to move to safety if the threat is large volcanic eruptions.<p>I am not saying that paper is magically perfect. Nor better in every situation. I am saying that paper is far easier (than digital) to do well <i>for use cases like a national records collection</i>. "Correctly" may include off-site backups - whether or not your threat model includes massive earthquakes, volcanoes, bombs, special forces, EMP weapons, biological agents, civil war, radioactive fallout, or enemy occupation. Or "Management wouldn't pay for a done-right facility".<p>As I noted in another comment, the largest downside to paper (<i>within</i> such use cases), is that it is far more difficult to get political support for old-fashioned stuff that just works, compared to anything that can be sold as cool/new/high-tech. Especially when the taxpayer-funded revenue streams from selling/installing/supporting the tech create incentives clearly contrary to the taxpaper's long-term interests.
No politician ever got elected by supporting simple, old-fashioned stuff that just worked.
Worked on a similar platform. The real risk isn't the code - it's the config files. Government deployments have hardcoded staging credentials, VPN endpoints, and encryption keys that don't get rotated when code leaks. Source is whatever. Those env files are the skeleton key.
I see comments about Swedish personal identification numbers. But the article is about source code that's leaked, not a database of numbers, right? I was thinking: should government source code not be open source anyway?
First reaction: How come the source code is not public in the first place, accessible to every Swedish citizen? They paid for it!<p>But it turns out that more than the source code was leaked.
This keeps happening in Europe with these mega-IT suppliers repeatedly getting exposed using very bad development practices. Sweden most recently had a major breach back in 2024 when the other large IT services supplier TietoEvry had their data centres breached and claimed "not actually an issue of security".<p>Several government organisations / regional authorities and companies were down. Last I heard several medical journals for whole municipalities were just destroyed.<p>Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity, are suspicious of things like zero-trust, follow outdated engineering practices. Sigh.
The tender process is what they are optimised for. They are professional project bidders with a bit of outsourced software development bolted on the back.
> Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity<p>So what you think would be the solution ? From what I see (both public tender or not), I would claim that "any large IT project/company will suffer from security issues", so not sure what is the added value to single out a process (the tender) or a region (Europe) if there is no obvious alternative.
Split giant projects into small ones, award it to better smaller companies, require interoperability via API that is clearly documented and ask for around the clock security monitoring and patching. The last things being the same thing you do at any decent private company.<p>IBM or Accenture or whoever don't need to be the only ones winning tenders.
The total number of people working on the project might remain similar no matter if it's one company or many smaller companies. Writing clear documentation and API, well thought from the start is harder the larger the project.<p>Maybe there would be a benefit from having less layers of management, but multiple small companies or one big could have the same structure.
I have (the start of a) solution, but it's a boring one:<p>You have to have people who care about this stuff.<p>If you don't care, the rest does not matter. It does not matter if, when and how you outsource if you don't care about the outcome. You can't just pay someone a salary, nor a consulting bill, check the box and say you've done your part.<p>And the other way around: These huge consulting conglomerates would get very few jobs if purchasers cared about the details, and not just that all the boxes are checked.
I don't think that's a particularly novel idea, the question is how do you get people who care in an organization that has hundreds of thousands of employees (the public sector)?
You may not like the trivial answer: The same way as we do everything else. How do we get people to show up for work? How do we get people to respect data security boundaries? None of these are questions of technology. The answer is culture. We need to create a strong shared culture of caring, by hiring people that care and putting them in an environment where caring is appreciated.
> You have to have people who care about this stuff.<p>What?! Preposterous! How could you even make money out of that? No no no, that will not do. You will ask your AI agent some vague question, commit the result without review and push it to the client. And you’ll like it. If there’s any trouble, call Timothy, he’ll be on vacation with his family in Thailand. Some resort, “Lotus” something or other.
Absolutely. One of the root causes for these terrible tender processes is a fear of in-housing competence and skill for systems.<p>It's the same reason major govt. IT orgs keep pushing for closed source (recently the Swedish Tax Authority was in the media for _pushing for Office 365_ as necessary for operations), out-sourced designs, big firm purchases over FOSS or real standards.<p>You need people that care (and they exist, even in the gigantic state orgs.) in positions to make good decisions. Right now, everything is up in the hands of nebulously defined managerial staff with none-to-doubtful technical competence.<p>Another recent case: the Swedish digital exams platform flopped at a rough cost of a billion SEK. Can't sustain 150K concurrent users, despite paying a "large company". Like, come on.
Germany has iirc liability for the entire chain (engineers to upper management) in case of data breaches. I remember having to sign for that when I did a project in Germany. Would that help? I would not mind if the CEO/CTO of Odido would spend a couple of years in a federal pound them in the ass prison if it is found out the leak was due to malpractice.
The probleme here is that what tends to happen is that the security requirements are relatively vague and once the customer has signed the acceptance, good luck.<p>And signing up with a big company is good way to cover your behind, because "if they with all their people and knowledge could not do it...". Basically the mantra or "Nobody was ever fired for buying Cisco".
Why was all that software not open source already?
Knowing swedish people's mindset I'm not surprised at all by the breach. What can be mildly surprising is that no major e-gov service has expressed concerns on their websites. Only on skatteverket.se, which is Swedish Tax Service website, there is a vague note on "maintenance work" planned for coming Saturday. Maybe totally unrelated though.
I'm pretty sure they did an internal analysis by 8 AM at all these places and came to the conclusion that they're OK.<p>Of course, they might be wrong!
Interesting, care to elaborate?
e-government services should be open-sources by default!
Anyone knows what their tech stack looks like?
What forum is the original screenshot from? It reminds me of cs.rin.ru
Unless they hardcode passwords and other juicy details in their source code what's all the fuzz about? It is a publicly funded thingy anyways.
"Government surprisingly fulfills its duty by making publicly funded source code public"
As long as cronyism remains the primary qualification for leadership, nothing will ever change, worse, it's only going to get worse<p>Accountability now, send these people to prison
How much GDPR fine will they pay? Oh wait it's gov so nothing / does no matter even if.<p>Who will take responsibility and get fired and lose all pension etc.? Oh wait no one.<p>Well the citizens need to suck it up.
Few years ago a huge NRA database was left public with admin/1234 or similar by the Bulgarian NRA. They government fined itself some non-trivial amount, then in the source/destination IBAN they put the same value and paid the fine. They managed to find someone to blame and it was not the person who left the database but the person who found it. Turns out that if you leave the PII of a whole country open to the public it is not your fault and you get to keep your cozy job. It is already unlawful to access that, so if someone access it - it is his fault - he broke the law.<p>Edit, i checked the facts: The Bulgarian government said that the it should pay too much to itself, and appealed the fine for few years until it somehow expired. And the guy (20 year at that time) they accused was later acquitted after they tried to ruin his life.
As the attack actor now has the data, they're liable for ongoing GDPR failures, on top of the theft. Then anyone they sell the data to becomes liable (on top of handling stolen goods). Could be a money-earner for the EU if they pursue it properly.
[dead]
Is this the open source stuff everyone is talking about?