| ▲ | Source code of Swedish e-government services has been leaked(darkwebinformer.com) |
| 109 points by tavro 4 hours ago | 91 comments |
| |
|
| ▲ | wasmitnetzen 2 hours ago | parent | next [-] |
| Swedish news has some quotes from authorities that nothing of value has been leaked, and a quote from the service CGI that it only concerns test servers.[1][2] [1]: https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform... [2]: https://www.cgi.com/se/sv/news/cybersakerhet/cgi-informerar-... |
| |
| ▲ | whizzter an hour ago | parent | next [-] | | As a Swede this is giving me shudders, the statements reeks of paper-pushers and certification-chasers that don't seem to understand fundamental risks of how how threat actors can move around once having established footholds, hopefully there's more competent people down in the trenches. | |
| ▲ | cactusplant7374 39 minutes ago | parent | prev [-] | | Are we allowed to vibe code some positive changes and submit them for review? |
|
|
| ▲ | wayfwdmachine an hour ago | parent | prev | next [-] |
| Ok, some important context for non-Swedes.
Anyone can get access to all Swedish (non-protected but those are a very VERY small subset) personal identification numbers by simply signing an agreement with SPAR[1] (the Swedish national people database). Identification numbers per se are not particularly useful or hard to get, they are effectively public information. Using SPAR you can also get the home (and any additional) addresses of individuals A Swedish citizen database is... you know. fun. But not exactly hard to get hold of. [1] https://www.statenspersonadressregister.se/master/start/engl... |
| |
| ▲ | picafrost 43 minutes ago | parent | next [-] | | I think this is good to highlight for non-Scandinavians. Scandinavian countries are extremely open and transparent in a way that might be shocking for Americans. For example, in Norway, I can check nearly anyone's brokerage account holdings, addresses, phone numbers, etc. on public websites. I can in theory look up anyone's tax filings. Personal identification numbers do not tend to be considered private in the same way that social security numbers in the US are. | | |
| ▲ | whynotmaybe 26 minutes ago | parent | next [-] | | I heard a rumor that some people use this to check their neighbour's revenue and sometimes make snark comments if one of them has a high revenue but lives in a "average revenue" part of town. They'd say that if you earn a lot, you shouldn't take a cheap housing. Any truth to that? | | | |
| ▲ | ROllerozxa 21 minutes ago | parent | prev | next [-] | | And then there are widespread amounts of identity theft and mapping out of minorities, but you may sleep well as everyone knowing where you do so is an important step in making sure corruption is no more, don't think too much about it. | | |
| ▲ | Batman8675309 20 minutes ago | parent [-] | | Just a few years ago this was about to change in Sweden. But they didn't change it, because "women should be able to look up the men that they date". |
| |
| ▲ | ahoka 39 minutes ago | parent | prev [-] | | Not open but stupid, IMHO. |
| |
| ▲ | einr 43 minutes ago | parent | prev | next [-] | | Identification numbers per se are not particularly useful or hard to get, they are effectively public information They are absolutely trivial to get. One click on mrkoll.se. | |
| ▲ | petcat an hour ago | parent | prev [-] | | > by simply signing an agreement with SPAR But that seems like a completely different thing than a nefarious and anonymous person or group having access to the entire database. | | |
| ▲ | wayfwdmachine an hour ago | parent [-] | | Yeah, nefarious or anonymous people have never used the internet so they could never find out that this was all public information. | | |
| ▲ | petcat 44 minutes ago | parent [-] | | public information if they signed an agreement with the Swedish government? | | |
| ▲ | einr 42 minutes ago | parent [-] | | No, public information for anyone. You realize that if it's public information, then it's public, and anyone can re-publish it online? There are websites for that. I can get the complete identification number, home address, phone number, etc for any Swedish citizen (that does not have a protected identity) in less than a minute. | | |
| ▲ | petcat 40 minutes ago | parent [-] | | You can get all of that one-by-one? Or can you get the whole database at once? | | |
| ▲ | einr 32 minutes ago | parent [-] | | I cannot trivially get the whole database, no. But I kind of fail to see what a malicious actor would do with a large database of public information that they couldn’t otherwise do. The system is designed such that you can’t really do a lot of malicious stuff with just public data, and the stuff you can do (scam calls, etc) is probably not meaningfully more effective if you have the whole database than if you do manual lookups or web scraping. I’m open to being proved wrong about that however. Basically: obviously it's not desirable to have that full database in the hands of a malicious actor but I'm not sure it's such a big deal either. Again, it's public data by design. |
|
|
|
|
|
|
|
| ▲ | robertlagrant 3 hours ago | parent | prev | next [-] |
| The source code is the least of it! From the article: > citizen PII databases and electronic signing documents were also collected but are being sold separately |
| |
| ▲ | AdamN 3 hours ago | parent | next [-] | | Yeah the source code isn't really such a big deal aside from helping to find vulnerabilities. The PII is a real disgrace. | |
| ▲ | simonklitj 3 hours ago | parent | prev | next [-] | | Man, you've got to be a real low-life to sell all of that. | | |
| ▲ | blell 3 hours ago | parent [-] | | You've got to be a real low-life to collect all of that and put it in a database that is not air-gapped. | | |
| ▲ | xorcist 2 hours ago | parent | next [-] | | It's something akin to a service provider in SAML parlance, if we are to believe reporting. How can it be air-gapped? And if we are to believe the hacked company, it is a development environment with test data in it. That remains to be seen, but is a risky thing to lie about. If there is production data in the leak, we will surely know about it. | | | |
| ▲ | dijit 2 hours ago | parent | prev | next [-] | | The point of a system like this is specifically that it’s accessible and not air gapped. Being able to validate that a citizen is a citizen and their ID is valid inherently requires the system be accessible | | |
| ▲ | fc417fc802 2 hours ago | parent [-] | | If you can't implement it securely then perhaps such an undertaking wasn't a good idea? In the vast majority of cases I don't see why PII ever needs to be available over the network for remote queries. For the purpose of verification isn't it sufficient to verify hashes or better yet to attest via smartcard? | | |
| |
| ▲ | lukan 2 hours ago | parent | prev [-] | | If you need the data, you cannot have it air gapped. And if it is air gapped, it is still easy to make misstakes. | | |
| ▲ | jjgreen 24 minutes ago | parent | next [-] | | "misstakes", love it, almost peotic | |
| ▲ | dns_snek 2 hours ago | parent | prev [-] | | > it is still easy to make misstakes. That's not an excuse though, any system handling data like that should be continuously reviewed and pentested by professionals. Hopefully they can show that this has been done otherwise it's just negligence. | | |
| ▲ | lukan 2 hours ago | parent | next [-] | | It was mainly an explanation, that "airgapping" does not magically provides better security, or is required (or possible) to use at all here. | | |
| ▲ | dns_snek an hour ago | parent [-] | | And it's pretty clear to me that they were criticizing storage of sensitive data in a database that isn't properly secured and they simply misused the term "airgapped". The database in question was easily accessible from poorly maintained development infrastructure. > Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize |
| |
| ▲ | fc417fc802 2 hours ago | parent | prev [-] | | Imagine if the bank took such a cavalier attitude with the contents of my account. |
|
|
|
| |
| ▲ | jetsetman192 3 hours ago | parent | prev | next [-] | | Encryption keys are mentioned as well. | |
| ▲ | worldsayshi 3 hours ago | parent | prev | next [-] | | I wonder if the focus on source code makes Swedish news slower to jump on this. I haven't seen it in domestic news yet. (Haven't looked too wide though) | | |
| ▲ | ACS_Solver 3 hours ago | parent [-] | | I saw it on SVT a few hours ago. DN and Expressen have also reported. The details about what exactly it is that got leaked are unclear (some report it's basically the code and certs responsible for BankID SSO) but this is certainly being reported domestically. | | |
| ▲ | worldsayshi 3 hours ago | parent | next [-] | | In Aftonbladet comments from CGI they seem to think that no production related data has been leaked: https://www.aftonbladet.se/nyheter/a/ArvG0E/cgi-sverige-uppg... | | |
| ▲ | zyberzero 2 hours ago | parent | next [-] | | But a copy of production data in the test environment isn't production data... It's test data! :) | |
| ▲ | yaris 2 hours ago | parent | prev [-] | | As if it ever happened that a breached company admitted immediately that they've just been fucked. |
| |
| ▲ | einr an hour ago | parent | prev [-] | | some report it's basically the code and certs responsible for BankID SSO No. CGI has nothing to do with BankID. IMO the most credible reports suggest that the source code and data involved are related to these four services: https://www.cgi.com/se/sv/business-process-services/e-tjanst...
"Mina engagemang offers a user-friendly and flexible solution that allows your customers to manage their cases directly through a personal portal. Here, users can view, track, and interact with their ongoing cases, which enhances both transparency and efficiency in the communication process." -- some kind of ticket/case management system for gov't agencies https://www.cgi.com/se/sv/business-process-services/elektron...
"With our secure end-to-end e-ID and eSign services, we can help you streamline document and contract management, gain access to all desired e-ID issuers, and improve cost efficiency." -- this sounds like a bad thing to compromise, but is to the best of my understanding a system for digital signatures on documents, and has no relation to BankID https://www.cgi.com/se/sv/business-process-services/e-tjanst...
"Gain better control over your organization’s representatives with our easy-to-use representative registry. By automating the identification and verification of representatives, you’ll gain a clear overview and enhance the security of your processes." -- sounds like some bullshit CRUD app for managing who can "represent" a gov't agency https://www.cgi.com/se/sv/business-process-services/e-tjanst...
"SHS is Sweden’s common standard for information exchange, enabling secure and efficient communication between government agencies, businesses, and organizations." -- this might be bad if real data was leaked These are services used by various Swedish government agencies and it's pretty bad to have even a test instance of them hacked, but let's calm down. The entire Swedish state has not been compromised here. | | |
| ▲ | jonashus 26 minutes ago | parent [-] | | > CGI has nothing to do with BankID That's incorrect. Skatteverket used CGI for BankID-login, I don't know if they still do. I have personal experience working on a BankID-login using CGI for another company and it is still active. Edit: I just confirmed Skatteverket still uses CGI for BankID-auth. "funktionstjanster" is CGI. | | |
| ▲ | einr 20 minutes ago | parent [-] | | OK, let me rephrase that: CGI, while they may "have something to do" with BankID in the sense that they have developed systems that integrate with it, does not itself develop BankID and does not hold any private keys for BankID. |
|
|
|
| |
| ▲ | ptx 2 hours ago | parent | prev [-] | | What does "electronic signing documents" mean? Keys used for signing? Or merely some documents that were signed with electronic signing? | | |
| ▲ | einr 23 minutes ago | parent | next [-] | | To the best of my understanding it means that a system made by CGI for digital signing of documents (as in: you get something like a PDF from a government agency and need to digitally sign it and send it back) has had its source code and/or some data belonging to it leaked. Skatteverket, the Swedish tax authority, has been quoted in media as confirming that they use CGI's system for digital document signing but that none of their data nor that of any citizens has been leaked. https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform... "One of the government agencies that uses CGI’s services is the Swedish Tax Agency, which was notified of the incident by the company. However, according to the Swedish Tax Agency, its users have nothing to worry about. “Neither our data nor our users’ data has been leaked. It is a service we use for e-signatures that has been affected, but there is no data from us or our users there,” says Peder Sjölander, IT Director at the Swedish Tax Agency." | |
| ▲ | nunobrito 2 hours ago | parent | prev [-] | | If that is case, then it would have been wrong from the beginning for any government to keep hold of the private keys for the signature on my citizen card. Because in that case they can sign documents on my behalf without my permission. In a court case, it would be near impossible for me to prove that the government gave my private key to someone else and that it wasn't me signing an incriminating document. | | |
| ▲ | ptx 25 minutes ago | parent | next [-] | | I apparently didn't phrase that very well. If what is the case? I was trying to ask which case was the case, not trying to claim that something specific was the case. I'm familiar with electronic signatures, and I know what documents are, but I have never heard the phrase "electronic signing documents" and don't know what that is supposed to mean. What kind of documents? Documents about signing, documents that were signed, documents in the sense that files containing keys could be considered documents, or what? | | |
| ▲ | nunobrito 23 minutes ago | parent [-] | | In Portugal we were early adopters for digital signatures on citizen cards. You use the card reader, insert your gov-issued identification and can sign PDF papers which have legal validity since the private key from the citizen card was used. Now imagine someone signing random legal documents with your ID for things like debts, opening companies or subscritions to whatever. |
| |
| ▲ | whizzter 19 minutes ago | parent | prev [-] | | We might've lucked out here, there is some signature data on ID cards today and official _plans_ to make a government backed signing service, but practically _nobody_ uses them in practice to just revoking all those keys will be a minor issue. Currently most Swede's use a private bank consortisum controlled ID solution for most logins and signatures. |
|
|
|
|
| ▲ | JensRantil 2 hours ago | parent | prev | next [-] |
| I am a Swedish citizen. Lived here for almost 40 years. It is a bit unclear to be what the "the Swedish e-government platform" is. Would have been great if they at least could have published which domain name the service has. |
| |
| ▲ | einr an hour ago | parent | next [-] | | It's not going to be a specific service or agency with a domain name, it's going to be services that are either internal and used by employees only, or that are integrated into other systems that you may be interacting with without knowing it. | |
| ▲ | lysace 9 minutes ago | parent | prev | next [-] | | There is no such thing according to Peder Sjölander, IT Director at the Swedish Tax Agency: https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform... – Neither our data nor our users' data has been leaked. It is a service we use for e-signatures that has been affected, but there is no data from us or our users there, says The information that source code was leaked from a joint government e-platform is not true, according to Peder Sjölander. – There is no such platform. I think the perpetrators in this want people to feel insecure. We feel confident that our data is safe and we have the situation under control before the tax return period opens next week. | |
| ▲ | yaris 2 hours ago | parent | prev | next [-] | | I would guess that skatteverket.se, polisen.se, kronofogden.se are among those affected by the leak. | | |
| ▲ | brabel 2 hours ago | parent | next [-] | | Some other comments mention BankID private keys . That would be the biggest disaster as that’s what everyone uses to identify themselves “securely” on all government services. | |
| ▲ | einr an hour ago | parent | prev [-] | | That's an interesting guess that I assume is based on absolutely nothing? | | |
| ▲ | yaris an hour ago | parent [-] | | Yes, nothing and the facts that these are government services, they use BankID and they updated their websites with "maintenance work" announcements for tomorrow, Saturday. For kronofogden.se there was no maintenance planned just half an hour ago. Knowing swedish tendency to plan things months ahead I would _guess_ that this maintenance work has been rushed due to some circumstances. | | |
| ▲ | einr an hour ago | parent [-] | | It's quite possible that the maintenance is related, but I can nearly 100% assure you this has absolutely nothing to do with BankID. I don't know who suggested that but they are either poorly informed or actively trying to sow FUD. |
|
|
| |
| ▲ | reliablereason 2 hours ago | parent | prev [-] | | Nothing in particular, based on my understanding CGI a Swedish IT consultant company was hacked, they have contracts for and are the maintainers and developers of a bunch of various government departments IT services. |
|
|
| ▲ | teroshan 3 hours ago | parent | prev | next [-] |
| Does anyone know if there is the source code for the Swedish Armed Forces - Team Test [1] in the leak? It was a really fun collaborative flash-style game that got popular in my circle of friends for some reason back then. [1] https://flashism.wordpress.com/2010/03/09/swedish-armed-forc... |
|
| ▲ | elwebmaster an hour ago | parent | prev | next [-] |
| Anything taxpayer funded should be open source to begin with. |
| |
|
| ▲ | rebolek 2 hours ago | parent | prev | next [-] |
| Maybe they should go open source from the start, then there's nothing to leak. P.S.: And strangers will sometimes help you find vulnerabilities (and sometimes be very obnoxious but that's not open source's fault). |
| |
| ▲ | ZaoLahma an hour ago | parent [-] | | Yeah. In these cases it's not like anyone is going to spin up their own instance and start competing with you. Government / handles society-critical things code should really be public unless there are _really_ good reasons for it not to be, where those reasons are never "we're just not very good at what we're doing and we don't want anyone to find out". |
|
|
| ▲ | noosphr 2 hours ago | parent | prev | next [-] |
| I like paper documents for this very reason. It's very hard to steal everyone's documents when they weight about the same as a train. |
| |
| ▲ | latexr 2 hours ago | parent | next [-] | | But it’s also very easy to lose all of them in a fire or flood. Different tradeoffs. | | |
| ▲ | noosphr 11 minutes ago | parent | next [-] | | This is a feature not a bug. | |
| ▲ | HelloUsername 2 hours ago | parent | prev | next [-] | | > it’s easy to lose all of them in a fire or flood Wouldn't a fire or flood affect everything? Both data stored on paper and hard disks? | | |
| ▲ | jagged-chisel 2 hours ago | parent | next [-] | | The good news is you can keep offline, offsite digital copies, which is much more convenient than offsite paper copies. | |
| ▲ | Gabrys1 2 hours ago | parent | prev [-] | | I think what the comment meant was that it's harder for an individual to lose their paper documents compared to losing the electronic ones. It just shifts who's responsible for keeping them safe |
| |
| ▲ | bell-cot an hour ago | parent | prev [-] | | Problems with well-known solutions 100 years ago: "Fireproof file rooms and cabinets in the 1920s were crucial for protecting business and government records during the rapid expansion of the industrial era. The era saw a massive shift from flammable wooden office furniture to robust, steel-based storage designed to resist both fire and water damage." That's a Google AI summary - but I've been in a fair number of buildings with such rooms. Thick concrete walls, heavy steel fire doors, no other openings, nothing but steel file cabinets in 'em, sealed electric light fixtures that look like they belong in a powder magazine (where one spark could kill everyone) - it's really simple tech. And "high ground" was a reliable flood protection tech several centuries before that. | | |
| ▲ | latexr 33 minutes ago | parent [-] | | Then add “earthquake” to the list, or “domestic terrorists or foreign country bombing the building”. Steelman the argument. The point isn’t “just fire and water specifically”, we’re not playing Pokémon. We have several historic examples of records being lost in disasters, and way more recent than 100 years ago. https://en.wikipedia.org/wiki/National_Personnel_Records_Cen... It makes no difference that we could’ve prevented that with better building construction. We didn’t, and hindsight does not bring the records back. We should plan for the world we want but cannot ignore the world we have. I’m not defending digital as always better or criticising physical. Like I said, different tradeoffs, meaning there are advantages and disadvantages to both, there’s no solution which is better in all situations. |
|
| |
| ▲ | bell-cot an hour ago | parent | prev [-] | | No politician ever got elected by supporting simple, old-fashioned stuff that just worked. |
|
|
| ▲ | corroclaro 2 hours ago | parent | prev | next [-] |
| This keeps happening in Europe with these mega-IT suppliers repeatedly getting exposed using very bad development practices. Sweden most recently had a major breach back in 2024 when the other large IT services supplier TietoEvry had their data centres breached and claimed "not actually an issue of security". Several government organisations / regional authorities and companies were down. Last I heard several medical journals for whole municipalities were just destroyed. Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity, are suspicious of things like zero-trust, follow outdated engineering practices. Sigh. |
| |
| ▲ | vladms 2 hours ago | parent | next [-] | | > Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity So what you think would be the solution ? From what I see (both public tender or not), I would claim that "any large IT project/company will suffer from security issues", so not sure what is the added value to single out a process (the tender) or a region (Europe) if there is no obvious alternative. | | |
| ▲ | mvdwoord 40 minutes ago | parent | next [-] | | Germany has iirc liability for the entire chain (engineers to upper management) in case of data breaches. I remember having to sign for that when I did a project in Germany. Would that help? I would not mind if the CEO/CTO of Odido would spend a couple of years in a federal pound them in the ass prison if it is found out the leak was due to malpractice. | |
| ▲ | xorcist an hour ago | parent | prev [-] | | I have (the start of a) solution, but it's a boring one: You have to have people who care about this stuff. If you don't care, the rest does not matter. It does not matter if, when and how you outsource if you don't care about the outcome. You can't just pay someone a salary, nor a consulting bill, check the box and say you've done your part. And the other way around: These huge consulting conglomerates would get very few jobs if purchasers cared about the details, and not just that all the boxes are checked. | | |
| ▲ | dns_snek an hour ago | parent | next [-] | | I don't think that's a particularly novel idea, the question is how do you get people who care in an organization that has hundreds of thousands of employees (the public sector)? | | |
| ▲ | xorcist 3 minutes ago | parent [-] | | You may not like the trivial answer: The same way as we do everything else. How do we get people to show up for work? How do we get people to respect data security boundaries? None of these are questions of technology. The answer is culture. We need to create a strong shared culture of caring, by hiring people that care and putting them in an environment where caring is appreciated. |
| |
| ▲ | latexr 16 minutes ago | parent | prev [-] | | > You have to have people who care about this stuff. What?! Preposterous! How could you even make money out of that? No no no, that will not do. You will ask your AI agent some vague question, commit the result without review and push it to the client. And you’ll like it. If there’s any trouble, call Timothy, he’ll be on vacation with his family in Thailand. Some resort, “Lotus” something or other. |
|
| |
| ▲ | bengale 2 hours ago | parent | prev [-] | | The tender process is what they are optimised for. They are professional project bidders with a bit of outsourced software development bolted on the back. | | |
| ▲ | Maxion 2 hours ago | parent [-] | | A lot of outsourced development. The tender process + clueless buyers + tender process law(s) cause this. Whole process needs a revamp for this to not be a problem. |
|
|
|
| ▲ | yaris 2 hours ago | parent | prev | next [-] |
| Knowing swedish people's mindset I'm not surprised at all by the breach. What can be mildly surprising is that no major e-gov service has expressed concerns on their websites. Only on skatteverket.se, which is Swedish Tax Service website, there is a vague note on "maintenance work" planned for coming Saturday. Maybe totally unrelated though. |
| |
|
| ▲ | olalonde 44 minutes ago | parent | prev | next [-] |
| Anyone knows what their tech stack looks like? |
|
| ▲ | agluszak 2 hours ago | parent | prev | next [-] |
| e-government services should be open-sources by default! |
| |
|
| ▲ | blin2h 2 hours ago | parent | prev | next [-] |
| What forum is the original screenshot from? It reminds me of cs.rin.ru |
|
| ▲ | WhereIsTheTruth 2 hours ago | parent | prev | next [-] |
| As long as cronyism remains the primary qualification for leadership, nothing will ever change, worse, it's only going to get worse Accountability now, send these people to prison |
|
| ▲ | Lionga 2 hours ago | parent | prev | next [-] |
| How much GDPR fine will they pay? Oh wait it's gov so nothing / does no matter even if. Who will take responsibility and get fired and lose all pension etc.? Oh wait no one. Well the citizens need to suck it up. |
| |
| ▲ | Habgdnv 2 hours ago | parent | next [-] | | Few years ago a huge NRA database was left public with admin/1234 or similar by the Bulgarian NRA. They government fined itself some non-trivial amount, then in the source/destination IBAN they put the same value and paid the fine. They managed to find someone to blame and it was not the person who left the database but the person who found it. Turns out that if you leave the PII of a whole country open to the public it is not your fault and you get to keep your cozy job. It is already unlawful to access that, so if someone access it - it is his fault - he broke the law. Edit, i checked the facts: The Bulgarian government said that the it should pay too much to itself, and appealed the fine for few years until it somehow expired. And the guy (20 year at that time) they accused was later acquitted after they tried to ruin his life. | |
| ▲ | the_other 2 hours ago | parent | prev [-] | | As the attack actor now has the data, they're liable for ongoing GDPR failures, on top of the theft. Then anyone they sell the data to becomes liable (on top of handling stolen goods). Could be a money-earner for the EU if they pursue it properly. |
|
|
| ▲ | steve1977 2 hours ago | parent | prev [-] |
| Is this the open source stuff everyone is talking about? |
