It's something akin to a service provider in SAML parlance, if we are to believe reporting. How can it be air-gapped?
And if we are to believe the hacked company, it is a development environment with test data in it. That remains to be seen, but is a risky thing to lie about. If there is production data in the leak, we will surely know about it.
If you can't implement it securely then perhaps such an undertaking wasn't a good idea? In the vast majority of cases I don't see why PII ever needs to be available over the network for remote queries. For the purpose of verification isn't it sufficient to verify hashes or better yet to attest via smartcard?
That's not an excuse though, any system handling data like that should be continuously reviewed and pentested by professionals. Hopefully they can show that this has been done otherwise it's just negligence.
If that is case, then it would have been wrong from the beginning for any government to keep hold of the private keys for the signature on my citizen card.
Because in that case they can sign documents on my behalf without my permission. In a court case, it would be near impossible for me to prove that the government gave my private key to someone else and that it wasn't me signing an incriminating document.
I wonder if the focus on source code makes Swedish news slower to jump on this. I haven't seen it in domestic news yet. (Haven't looked too wide though)
I saw it on SVT a few hours ago. DN and Expressen have also reported. The details about what exactly it is that got leaked are unclear (some report it's basically the code and certs responsible for BankID SSO) but this is certainly being reported domestically.
Swedish news has some quotes from authorities that nothing of value has been leaked, and a quote from the service CGI that it only concerns test servers.[1][2]
I am a Swedish citizen. Lived here for almost 40 years. It is a bit unclear to be what the "the Swedish e-government platform" is. Would have been great if they at least could have published which domain name the service has.
Nothing in particular, based on my understanding CGI a Swedish IT consultant company was hacked, they have contracts for and are the maintainers and developers of a bunch of various government departments IT services.
Some other comments mention BankID private keys . That would be the biggest disaster as that’s what everyone uses to identify themselves “securely” on all government services.
Does anyone know if there is the source code for the Swedish Armed Forces - Team Test [1] in the leak? It was a really fun collaborative flash-style game that got popular in my circle of friends for some reason back then.
Yeah. In these cases it's not like anyone is going to spin up their own instance and start competing with you.
Government / handles society-critical things code should really be public unless there are _really_ good reasons for it not to be, where those reasons are never "we're just not very good at what we're doing and we don't want anyone to find out".
Knowing swedish people's mindset I'm not surprised at all by the breach. What can be mildly surprising is that no major e-gov service has expressed concerns on their websites. Only on skatteverket.se, which is Swedish Tax Service website, there is a vague note on "maintenance work" planned for coming Saturday. Maybe totally unrelated though.
I think what the comment meant was that it's harder for an individual to lose their paper documents compared to losing the electronic ones. It just shifts who's responsible for keeping them safe
This keeps happening in Europe with these mega-IT suppliers repeatedly getting exposed using very bad development practices. Sweden most recently had a major breach back in 2024 when the other large IT services supplier TietoEvry had their data centres breached and claimed "not actually an issue of security".
Several government organisations / regional authorities and companies were down. Last I heard several medical journals for whole municipalities were just destroyed.
Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity, are suspicious of things like zero-trust, follow outdated engineering practices. Sigh.
> Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity
So what you think would be the solution ? From what I see (both public tender or not), I would claim that "any large IT project/company will suffer from security issues", so not sure what is the added value to single out a process (the tender) or a region (Europe) if there is no obvious alternative.
I have (the start of a) solution, but it's a boring one:
You have to have people who care about this stuff.
If you don't care, the rest does not matter. It does not matter if, when and how you outsource if you don't care about the outcome. You can't just pay someone a salary, nor a consulting bill, check the box and say you've done your part.
And the other way around: These huge consulting conglomerates would get very few jobs if purchasers cared about the details, and not just that all the boxes are checked.
The tender process is what they are optimised for. They are professional project bidders with a bit of outsourced software development bolted on the back.
Few years ago a huge NRA database was left public with admin/1234 or similar by the Bulgarian NRA. They government fined itself some non-trivial amount, then in the source/destination IBAN they put the same value and paid the fine. They managed to find someone to blame and it was not the person who left the database but the person who found it. Turns out that if you leave the PII of a whole country open to the public it is not your fault and you get to keep your cozy job. It is already unlawful to access that, so if someone access it - it is his fault - he broke the law.
Edit, i checked the facts: The Bulgarian government said that the it should pay too much to itself, and appealed the fine for few years until it somehow expired. And the guy (20 year at that time) they accused was later acquitted after they tried to ruin his life.
As the attack actor now has the data, they're liable for ongoing GDPR failures, on top of the theft. Then anyone they sell the data to becomes liable (on top of handling stolen goods). Could be a money-earner for the EU if they pursue it properly.
The source code is the least of it! From the article:
> citizen PII databases and electronic signing documents were also collected but are being sold separately
Yeah the source code isn't really such a big deal aside from helping to find vulnerabilities. The PII is a real disgrace.
Man, you've got to be a real low-life to sell all of that.
You've got to be a real low-life to collect all of that and put it in a database that is not air-gapped.
It's something akin to a service provider in SAML parlance, if we are to believe reporting. How can it be air-gapped?
And if we are to believe the hacked company, it is a development environment with test data in it. That remains to be seen, but is a risky thing to lie about. If there is production data in the leak, we will surely know about it.
At the high end you can use data diodes to isolate critical data.
The point of a system like this is specifically that it’s accessible and not air gapped.
Being able to validate that a citizen is a citizen and their ID is valid inherently requires the system be accessible
If you can't implement it securely then perhaps such an undertaking wasn't a good idea? In the vast majority of cases I don't see why PII ever needs to be available over the network for remote queries. For the purpose of verification isn't it sufficient to verify hashes or better yet to attest via smartcard?
You can, they didn't; big difference.
If you need the data, you cannot have it air gapped. And if it is air gapped, it is still easy to make misstakes.
> it is still easy to make misstakes.
That's not an excuse though, any system handling data like that should be continuously reviewed and pentested by professionals. Hopefully they can show that this has been done otherwise it's just negligence.
It was mainly an explanation, that "airgapping" does not magically provides better security, or is required (or possible) to use at all here.
Imagine if the bank took such a cavalier attitude with the contents of my account.
What does "electronic signing documents" mean? Keys used for signing? Or merely some documents that were signed with electronic signing?
If that is case, then it would have been wrong from the beginning for any government to keep hold of the private keys for the signature on my citizen card.
Because in that case they can sign documents on my behalf without my permission. In a court case, it would be near impossible for me to prove that the government gave my private key to someone else and that it wasn't me signing an incriminating document.
Encryption keys are mentioned as well.
I wonder if the focus on source code makes Swedish news slower to jump on this. I haven't seen it in domestic news yet. (Haven't looked too wide though)
I saw it on SVT a few hours ago. DN and Expressen have also reported. The details about what exactly it is that got leaked are unclear (some report it's basically the code and certs responsible for BankID SSO) but this is certainly being reported domestically.
In Aftonbladet comments from CGI they seem to think that no production related data has been leaked:
https://www.aftonbladet.se/nyheter/a/ArvG0E/cgi-sverige-uppg...
But a copy of production data in the test environment isn't production data... It's test data! :)
As if it ever happened that a breached company admitted immediately that they've just been fucked.
Swedish news has some quotes from authorities that nothing of value has been leaked, and a quote from the service CGI that it only concerns test servers.[1][2]
[1]: https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform...
[2]: https://www.cgi.com/se/sv/news/cybersakerhet/cgi-informerar-...
I am a Swedish citizen. Lived here for almost 40 years. It is a bit unclear to be what the "the Swedish e-government platform" is. Would have been great if they at least could have published which domain name the service has.
Nothing in particular, based on my understanding CGI a Swedish IT consultant company was hacked, they have contracts for and are the maintainers and developers of a bunch of various government departments IT services.
I would guess that skatteverket.se, polisen.se, kronofogden.se are among those affected by the leak.
Some other comments mention BankID private keys . That would be the biggest disaster as that’s what everyone uses to identify themselves “securely” on all government services.
Does anyone know if there is the source code for the Swedish Armed Forces - Team Test [1] in the leak? It was a really fun collaborative flash-style game that got popular in my circle of friends for some reason back then.
[1] https://flashism.wordpress.com/2010/03/09/swedish-armed-forc...
Maybe they should go open source from the start, then there's nothing to leak.
P.S.: And strangers will sometimes help you find vulnerabilities (and sometimes be very obnoxious but that's not open source's fault).
Yeah. In these cases it's not like anyone is going to spin up their own instance and start competing with you.
Government / handles society-critical things code should really be public unless there are _really_ good reasons for it not to be, where those reasons are never "we're just not very good at what we're doing and we don't want anyone to find out".
Knowing swedish people's mindset I'm not surprised at all by the breach. What can be mildly surprising is that no major e-gov service has expressed concerns on their websites. Only on skatteverket.se, which is Swedish Tax Service website, there is a vague note on "maintenance work" planned for coming Saturday. Maybe totally unrelated though.
Interesting, care to elaborate?
I like paper documents for this very reason.
It's very hard to steal everyone's documents when they weight about the same as a train.
But it’s also very easy to lose all of them in a fire or flood. Different tradeoffs.
> it’s easy to lose all of them in a fire or flood
Wouldn't a fire or flood affect everything? Both data stored on paper and hard disks?
The good news is you can keep offline, offsite digital copies, which is much more convenient than offsite paper copies.
I think what the comment meant was that it's harder for an individual to lose their paper documents compared to losing the electronic ones. It just shifts who's responsible for keeping them safe
This keeps happening in Europe with these mega-IT suppliers repeatedly getting exposed using very bad development practices. Sweden most recently had a major breach back in 2024 when the other large IT services supplier TietoEvry had their data centres breached and claimed "not actually an issue of security".
Several government organisations / regional authorities and companies were down. Last I heard several medical journals for whole municipalities were just destroyed.
Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity, are suspicious of things like zero-trust, follow outdated engineering practices. Sigh.
> Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity
So what you think would be the solution ? From what I see (both public tender or not), I would claim that "any large IT project/company will suffer from security issues", so not sure what is the added value to single out a process (the tender) or a region (Europe) if there is no obvious alternative.
I have (the start of a) solution, but it's a boring one:
You have to have people who care about this stuff.
If you don't care, the rest does not matter. It does not matter if, when and how you outsource if you don't care about the outcome. You can't just pay someone a salary, nor a consulting bill, check the box and say you've done your part.
And the other way around: These huge consulting conglomerates would get very few jobs if purchasers cared about the details, and not just that all the boxes are checked.
The tender process is what they are optimised for. They are professional project bidders with a bit of outsourced software development bolted on the back.
A lot of outsourced development.
The tender process + clueless buyers + tender process law(s) cause this. Whole process needs a revamp for this to not be a problem.
What forum is the original screenshot from? It reminds me of cs.rin.ru
e-government services should be open-sources by default!
Now there is an additional reason for that.
Public money, public code.
As long as cronyism remains the primary qualification for leadership, nothing will ever change, worse, it's only going to get worse
Accountability now, send these people to prison
How much GDPR fine will they pay? Oh wait it's gov so nothing / does no matter even if.
Who will take responsibility and get fired and lose all pension etc.? Oh wait no one.
Well the citizens need to suck it up.
Few years ago a huge NRA database was left public with admin/1234 or similar by the Bulgarian NRA. They government fined itself some non-trivial amount, then in the source/destination IBAN they put the same value and paid the fine. They managed to find someone to blame and it was not the person who left the database but the person who found it. Turns out that if you leave the PII of a whole country open to the public it is not your fault and you get to keep your cozy job. It is already unlawful to access that, so if someone access it - it is his fault - he broke the law.
Edit, i checked the facts: The Bulgarian government said that the it should pay too much to itself, and appealed the fine for few years until it somehow expired. And the guy (20 year at that time) they accused was later acquitted after they tried to ruin his life.
As the attack actor now has the data, they're liable for ongoing GDPR failures, on top of the theft. Then anyone they sell the data to becomes liable (on top of handling stolen goods). Could be a money-earner for the EU if they pursue it properly.
[dead]
Is this the open source stuff everyone is talking about?