alt Hacker NewsSource code of Swedish e-government services has been leaked
Comments
Swedish news has some quotes from authorities that nothing of value has been leaked, and a quote from the service CGI that it only concerns test servers.[1][2]
[1]: https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform...
[2]: https://www.cgi.com/se/sv/news/cybersakerhet/cgi-informerar-...
The source code is the least of it! From the article:
> citizen PII databases and electronic signing documents were also collected but are being sold separately
I am a Swedish citizen. Lived here for almost 40 years. It is a bit unclear to be what the "the Swedish e-government platform" is. Would have been great if they at least could have published which domain name the service has.
Does anyone know if there is the source code for the Swedish Armed Forces - Team Test [1] in the leak? It was a really fun collaborative flash-style game that got popular in my circle of friends for some reason back then.
[1] https://flashism.wordpress.com/2010/03/09/swedish-armed-forc...
Maybe they should go open source from the start, then there's nothing to leak.
P.S.: And strangers will sometimes help you find vulnerabilities (and sometimes be very obnoxious but that's not open source's fault).
Anything taxpayer funded should be open source to begin with.
Misleading title, as my first thought was "why is Sweden's egov not open source to begin with?".
Turns out it's about data.
I like paper documents for this very reason.
It's very hard to steal everyone's documents when they weight about the same as a train.
CGI has a lot of consultants in both government and municipal places (i've worked at both), and some of our main tools like time reporting was built as a addon to our personnel system by consultants at CGI. half my team are consultants from CGI, 4 out of 7 people.
also: hi tavro! it's been a few years, how have you been :D
This keeps happening in Europe with these mega-IT suppliers repeatedly getting exposed using very bad development practices. Sweden most recently had a major breach back in 2024 when the other large IT services supplier TietoEvry had their data centres breached and claimed "not actually an issue of security".
Several government organisations / regional authorities and companies were down. Last I heard several medical journals for whole municipalities were just destroyed.
Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity, are suspicious of things like zero-trust, follow outdated engineering practices. Sigh.
I see comments about Swedish personal identification numbers. But the article is about source code that's leaked, not a database of numbers, right? I was thinking: should government source code not be open source anyway?
Worked on a similar platform. The real risk isn't the code - it's the config files. Government deployments have hardcoded staging credentials, VPN endpoints, and encryption keys that don't get rotated when code leaks. Source is whatever. Those env files are the skeleton key.
First reaction: How come the source code is not public in the first place, accessible to every Swedish citizen? They paid for it!
But it turns out that more than the source code was leaked.
Knowing swedish people's mindset I'm not surprised at all by the breach. What can be mildly surprising is that no major e-gov service has expressed concerns on their websites. Only on skatteverket.se, which is Swedish Tax Service website, there is a vague note on "maintenance work" planned for coming Saturday. Maybe totally unrelated though.
Most important question: do Swedish e-government services use curl?
Why was all that software not open source already?
What forum is the original screenshot from? It reminds me of cs.rin.ru
Anyone knows what their tech stack looks like?
Unless they hardcode passwords and other juicy details in their source code what's all the fuzz about? It is a publicly funded thingy anyways.
"Government surprisingly fulfills its duty by making publicly funded source code public"
As long as cronyism remains the primary qualification for leadership, nothing will ever change, worse, it's only going to get worse
Accountability now, send these people to prison
How much GDPR fine will they pay? Oh wait it's gov so nothing / does no matter even if.
Who will take responsibility and get fired and lose all pension etc.? Oh wait no one.
Well the citizens need to suck it up.
[dead]
Is this the open source stuff everyone is talking about?
Ok, some important context for non-Swedes. Anyone can get access to all Swedish (non-protected but those are a very VERY small subset) personal identification numbers by simply signing an agreement with SPAR[1] (the Swedish national people database). Identification numbers per se are not particularly useful or hard to get, they are effectively public information. Using SPAR you can also get the home (and any additional) addresses of individuals
A Swedish citizen database is... you know. fun. But not exactly hard to get hold of.
[1] https://www.statenspersonadressregister.se/master/start/engl...