Source code of Swedish e-government services has been leaked

Ok, some important context for non-Swedes. Anyone can get access to all Swedish (non-protected but those are a very VERY small subset) personal identification numbers by simply signing an agreement with SPAR[1] (the Swedish national people database). Identification numbers per se are not particularly useful or hard to get, they are effectively public information. Using SPAR you can also get the home (and any additional) addresses of individuals

A Swedish citizen database is... you know. fun. But not exactly hard to get hold of.

[1] https://www.statenspersonadressregister.se/master/start/engl...

Swedish news has some quotes from authorities that nothing of value has been leaked, and a quote from the service CGI that it only concerns test servers.[1][2]

[1]: https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform...

[2]: https://www.cgi.com/se/sv/news/cybersakerhet/cgi-informerar-...

The source code is the least of it! From the article:

> citizen PII databases and electronic signing documents were also collected but are being sold separately

I am a Swedish citizen. Lived here for almost 40 years. It is a bit unclear to be what the "the Swedish e-government platform" is. Would have been great if they at least could have published which domain name the service has.

Does anyone know if there is the source code for the Swedish Armed Forces - Team Test [1] in the leak? It was a really fun collaborative flash-style game that got popular in my circle of friends for some reason back then.

[1] https://flashism.wordpress.com/2010/03/09/swedish-armed-forc...

Maybe they should go open source from the start, then there's nothing to leak.

P.S.: And strangers will sometimes help you find vulnerabilities (and sometimes be very obnoxious but that's not open source's fault).

Anything taxpayer funded should be open source to begin with.

I like paper documents for this very reason.

It's very hard to steal everyone's documents when they weight about the same as a train.

This keeps happening in Europe with these mega-IT suppliers repeatedly getting exposed using very bad development practices. Sweden most recently had a major breach back in 2024 when the other large IT services supplier TietoEvry had their data centres breached and claimed "not actually an issue of security".

Several government organisations / regional authorities and companies were down. Last I heard several medical journals for whole municipalities were just destroyed.

Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity, are suspicious of things like zero-trust, follow outdated engineering practices. Sigh.

Knowing swedish people's mindset I'm not surprised at all by the breach. What can be mildly surprising is that no major e-gov service has expressed concerns on their websites. Only on skatteverket.se, which is Swedish Tax Service website, there is a vague note on "maintenance work" planned for coming Saturday. Maybe totally unrelated though.

CGI has a lot of consultants in both government and municipal places (i've worked at both), and some of our main tools like time reporting was built as a addon to our personnel system by consultants at CGI. half my team are consultants from CGI, 4 out of 7 people.

also: hi tavro! it's been a few years, how have you been :D

Worked on a similar platform. The real risk isn't the code - it's the config files. Government deployments have hardcoded staging credentials, VPN endpoints, and encryption keys that don't get rotated when code leaks. Source is whatever. Those env files are the skeleton key.

I see comments about Swedish personal identification numbers. But the article is about source code that's leaked, not a database of numbers, right? I was thinking: should government source code not be open source anyway?

e-government services should be open-sources by default!

Misleading title, as my first thought was "why is Sweden's egov not open source to begin with?".

Turns out it's about data.

It's odd to me, as a Brit, to see that this stuff was not mostly public anyway. (looking at you https://github.com/alphagov)

First reaction: How come the source code is not public in the first place, accessible to every Swedish citizen? They paid for it!

But it turns out that more than the source code was leaked.

As long as cronyism remains the primary qualification for leadership, nothing will ever change, worse, it's only going to get worse

Accountability now, send these people to prison

Unless they hardcode passwords and other juicy details in their source code what's all the fuzz about? It is a publicly funded thingy anyways.

What forum is the original screenshot from? It reminds me of cs.rin.ru

Most important question: do Swedish e-government services use curl?

Why was all that software not open source already?

Anyone knows what their tech stack looks like?

following AI corp logic that everything in the internet is open source we have a open source goverment in europe now

Hot take: all government code should be open source.

"Government surprisingly fulfills its duty by making publicly funded source code public"

How much GDPR fine will they pay? Oh wait it's gov so nothing / does no matter even if.

Who will take responsibility and get fired and lose all pension etc.? Oh wait no one.

Well the citizens need to suck it up.

Is this the open source stuff everyone is talking about?

[1] https://flashism.wordpress.com/2010/03/09/swedish-armed-forc...

also: hi tavro! it's been a few years, how have you been :D

Misleading title, as my first thought was "why is Sweden's egov not open source to begin with?".

Turns out it's about data.

It's odd to me, as a Brit, to see that this stuff was not mostly public anyway. (looking at you https://github.com/alphagov)

First reaction: How come the source code is not public in the first place, accessible to every Swedish citizen? They paid for it!

But it turns out that more than the source code was leaked.

As long as cronyism remains the primary qualification for leadership, nothing will ever change, worse, it's only going to get worse

Accountability now, send these people to prison

Unless they hardcode passwords and other juicy details in their source code what's all the fuzz about? It is a publicly funded thingy anyways.

What forum is the original screenshot from? It reminds me of cs.rin.ru

Most important question: do Swedish e-government services use curl?

Why was all that software not open source already?

Anyone knows what their tech stack looks like?

following AI corp logic that everything in the internet is open source we have a open source goverment in europe now

"Government surprisingly fulfills its duty by making publicly funded source code public"

A Swedish citizen database is... you know. fun. But not exactly hard to get hold of.

[1] https://www.statenspersonadressregister.se/master/start/engl...

I think this is good to highlight for non-Scandinavians.

Scandinavian countries are extremely open and transparent in a way that might be shocking for Americans. For example, in Norway, I can check nearly anyone's brokerage account holdings, addresses, phone numbers, etc. on public websites. I can in theory look up anyone's tax filings.

Personal identification numbers do not tend to be considered private in the same way that social security numbers in the US are.

Identification numbers per se are not particularly useful or hard to get, they are effectively public information

They are absolutely trivial to get. One click on mrkoll.se.

That might be interesting but it’s also completely irrelevant since no PII was actually leaked.

Also, no source code of ”Swedish e-government services” was leaked since that is not a thing:

https://news.ycombinator.com/item?id=47363966

> by simply signing an agreement with SPAR

But that seems like a completely different thing than a nefarious and anonymous person or group having access to the entire database.

Swedish news has some quotes from authorities that nothing of value has been leaked, and a quote from the service CGI that it only concerns test servers.[1][2]

[1]: https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform...

[2]: https://www.cgi.com/se/sv/news/cybersakerhet/cgi-informerar-...

I dont know nothing about this particular leak, but I have worked at Skatteverket.

Let me just say, the likelihood that CGI would have any _actual_ real personal data is close to 0%, at least on servers outside of Skatteverket. I had access to absolutely nothing even working inside. I have never worked in a more closed-down system, maybe excepting the swedish military "complex". No, actually that was less locked down in a way, at least once you were "inside" the system.

As a Swede this is giving me shudders, the statements reeks of paper-pushers and certification-chasers that don't seem to understand fundamental risks of how how threat actors can move around once having established footholds, hopefully there's more competent people down in the trenches.

Are we allowed to vibe code some positive changes and submit them for review?

The source code is the least of it! From the article:

> citizen PII databases and electronic signing documents were also collected but are being sold separately

Yeah the source code isn't really such a big deal aside from helping to find vulnerabilities. The PII is a real disgrace.

Man, you've got to be a real low-life to sell all of that.

Encryption keys are mentioned as well.

I wonder if the focus on source code makes Swedish news slower to jump on this. I haven't seen it in domestic news yet. (Haven't looked too wide though)

What does "electronic signing documents" mean? Keys used for signing? Or merely some documents that were signed with electronic signing?

There is no such thing according to Peder Sjölander, IT Director at the Swedish Tax Agency:

https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform...

– Neither our data nor our users' data has been leaked. It is a service we use for e-signatures that has been affected, but there is no data from us or our users there, says

The information that source code was leaked from a joint government e-platform is not true, according to Peder Sjölander.

– There is no such platform. I think the perpetrators in this want people to feel insecure. We feel confident that our data is safe and we have the situation under control before the tax return period opens next week.

It's not going to be a specific service or agency with a domain name, it's going to be services that are either internal and used by employees only, or that are integrated into other systems that you may be interacting with without knowing it.

Nothing in particular, based on my understanding CGI a Swedish IT consultant company was hacked, they have contracts for and are the maintainers and developers of a bunch of various government departments IT services.

I would guess that skatteverket.se, polisen.se, kronofogden.se are among those affected by the leak.

Maybe they should go open source from the start, then there's nothing to leak.

P.S.: And strangers will sometimes help you find vulnerabilities (and sometimes be very obnoxious but that's not open source's fault).

When I worked for the government in Norway, it slowly changed to all code being developed in the open. 3k repos here now: https://github.com/orgs/navikt/repositories

When I started it was a big security theater. Had to develop on thin clients with no external internet access, for instance. Then they got some great people in charge that modernized everything.

Only drawback is when you quit, you have to make sure to unsubscribe from everything, hehe. When quitting a private company I was just removed from the github org. Here I was as well, but I was still subscribed to lots of repos, issues, PRs,heh.

Yeah. In these cases it's not like anyone is going to spin up their own instance and start competing with you.

Government / handles society-critical things code should really be public unless there are _really_ good reasons for it not to be, where those reasons are never "we're just not very good at what we're doing and we don't want anyone to find out".

Anything taxpayer funded should be open source to begin with.

Similarly taxpayer funded contracts for any type of infrastructure (obviously I have digital infrastructure powered by proprietary solutions in mind) should only be awarded if interoperability is guaranteed to prevent lock-in and abuse.

I like paper documents for this very reason.

It's very hard to steal everyone's documents when they weight about the same as a train.

But it’s also very easy to lose all of them in a fire or flood. Different tradeoffs.

No politician ever got elected by supporting simple, old-fashioned stuff that just worked.

Several government organisations / regional authorities and companies were down. Last I heard several medical journals for whole municipalities were just destroyed.

The tender process is what they are optimised for. They are professional project bidders with a bit of outsourced software development bolted on the back.

> Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity

So what you think would be the solution ? From what I see (both public tender or not), I would claim that "any large IT project/company will suffer from security issues", so not sure what is the added value to single out a process (the tender) or a region (Europe) if there is no obvious alternative.

The probleme here is that what tends to happen is that the security requirements are relatively vague and once the customer has signed the acceptance, good luck.

And signing up with a big company is good way to cover your behind, because "if they with all their people and knowledge could not do it...". Basically the mantra or "Nobody was ever fired for buying Cisco".

Interesting, care to elaborate?

I'm pretty sure they did an internal analysis by 8 AM at all these places and came to the conclusion that they're OK.

Of course, they might be wrong!

The same attackers are releasing the database of personal information separately (for a fee).

That said, Sweden takes a different approach to PII, so most of that information would have already been public. You can generally just look up any resident and their ID number and other biographical details in a public directory (among other things… their tax returns are also public records).

Ideally they should be open.

e-government services should be open-sources by default!

Now there is an additional reason for that.

Public money, public code.

I sometimes also would like that, but you might reconsider that stance when your country is in war with another one.

Hot take: all government code should be open source.

How much GDPR fine will they pay? Oh wait it's gov so nothing / does no matter even if.

Who will take responsibility and get fired and lose all pension etc.? Oh wait no one.

Well the citizens need to suck it up.

Few years ago a huge NRA database was left public with admin/1234 or similar by the Bulgarian NRA. They government fined itself some non-trivial amount, then in the source/destination IBAN they put the same value and paid the fine. They managed to find someone to blame and it was not the person who left the database but the person who found it. Turns out that if you leave the PII of a whole country open to the public it is not your fault and you get to keep your cozy job. It is already unlawful to access that, so if someone access it - it is his fault - he broke the law.

Edit, i checked the facts: The Bulgarian government said that the it should pay too much to itself, and appealed the fine for few years until it somehow expired. And the guy (20 year at that time) they accused was later acquitted after they tried to ruin his life.

As the attack actor now has the data, they're liable for ongoing GDPR failures, on top of the theft. Then anyone they sell the data to becomes liable (on top of handling stolen goods). Could be a money-earner for the EU if they pursue it properly.

Is this the open source stuff everyone is talking about?

Identification numbers per se are not particularly useful or hard to get, they are effectively public information

They are absolutely trivial to get. One click on mrkoll.se.

That might be interesting but it’s also completely irrelevant since no PII was actually leaked.

Also, no source code of ”Swedish e-government services” was leaked since that is not a thing:

https://news.ycombinator.com/item?id=47363966

Are we allowed to vibe code some positive changes and submit them for review?

Interesting, care to elaborate?

I'm pretty sure they did an internal analysis by 8 AM at all these places and came to the conclusion that they're OK.

Of course, they might be wrong!

The same attackers are releasing the database of personal information separately (for a fee).

Ideally they should be open.

Now there is an additional reason for that.

Public money, public code.

I sometimes also would like that, but you might reconsider that stance when your country is in war with another one.

I think this is good to highlight for non-Scandinavians.

Personal identification numbers do not tend to be considered private in the same way that social security numbers in the US are.

> by simply signing an agreement with SPAR

But that seems like a completely different thing than a nefarious and anonymous person or group having access to the entire database.

Yeah, nefarious or anonymous people have never used the internet so they could never find out that this was all public information.

I dont know nothing about this particular leak, but I have worked at Skatteverket.

Yeah the source code isn't really such a big deal aside from helping to find vulnerabilities. The PII is a real disgrace.

Seeming by other sources, it wasn't really information considered PII in Sweden (but would in other places), I'm not sure this is as a big deal as people try to make it out to be.

Man, you've got to be a real low-life to sell all of that.

You've got to be a real low-life to collect all of that and put it in a database that is not air-gapped.

We're so open, we even leak our government source code _ourselves_ https://github.com/navikt

I heard a rumor that some people use this to check their neighbour's revenue and sometimes make snark comments if one of them has a high revenue but lives in a "average revenue" part of town.

They'd say that if you earn a lot, you shouldn't take a cheap housing.

Any truth to that?

What's the point of making public how much each person owns? Aside from making you a prime target for kidnappings and targeted advertising?

All email conversations in Swedish public institutions are basically a public act and any citizen can request an extract of them.

The US used to be more this way. Not brokerage accounts as far as I recall, but whether you own a house, how much you paid for it, your address, phone number, even your SSN didn't used to be considered very private, people had it printed on their personal checks, and schools used it as a student ID number.

Newspapers used to publish hospital admissions and discharges, nothing medical but names and dates. Probably a lot of other stuff I'm forgetting.

Out of curiosity how do you authenticate yourself with government services and finance companies and such? The reason the SSN is considered private is because it's used for authentication. Usually an SSN + one or two pieces of trivially obtainable information is enough to sign up for just about anything in somebody else's name, unless physical documents are required as in the case of a passport.

And then there are widespread amounts of identity theft and mapping out of minorities, but you may sleep well as everyone knowing where you do so is an important step in making sure corruption is no more, don't think too much about it.

How do they have handle identity thefts, spams, etc.?

There are so many ways to misuse these data. Are the residents not concerned about this?

Is this due to how high-trust societies work, or is it something else?

All email conversations in Swedish public institutions are basically a public act and any citizen can request an extract of them.

Seeming by other sources, it wasn't really information considered PII in Sweden (but would in other places), I'm not sure this is as a big deal as people try to make it out to be.

Encryption keys are mentioned as well.

There is no such thing according to Peder Sjölander, IT Director at the Swedish Tax Agency:

https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform...

– Neither our data nor our users' data has been leaked. It is a service we use for e-signatures that has been affected, but there is no data from us or our users there, says

The information that source code was leaked from a joint government e-platform is not true, according to Peder Sjölander.

Yeah. In these cases it's not like anyone is going to spin up their own instance and start competing with you.

No politician ever got elected by supporting simple, old-fashioned stuff that just worked.

The probleme here is that what tends to happen is that the security requirements are relatively vague and once the customer has signed the acceptance, good luck.

Is this due to how high-trust societies work, or is it something else?

We're so open, we even leak our government source code _ourselves_ https://github.com/navikt

Uff, COBOL written in Norwegian, talk about a narrow target to hit for hiring :)

I heard a rumor that some people use this to check their neighbour's revenue and sometimes make snark comments if one of them has a high revenue but lives in a "average revenue" part of town.

They'd say that if you earn a lot, you shouldn't take a cheap housing.

Any truth to that?

There used to be a lot more of that, but a system was put in place where you have to identify yourself with electronic ID to access the information, and the information is logged so the other party can see it.

Nowadays I think mostly journalists use it to pull up information about politicians and other people that are in the public spotlight. There are of course the yearly "richest people in Norway" lists in various categories.

> They'd say that if you earn a lot, you shouldn't take a cheap housing.

I think a lot of "humbleness" is also enforced this way, in the US seems normal (or even some European countries) to flaunt your wealth, and others seem more or less OK with it, while in Sweden it's much more socially unacceptable to in any sort of way brag about being rich, or showing that off. Humble-richness is OK and tolerated, but flagrantly displaying your wealth among the public is generally frowned upon.

So together with that, living in a average neighborhood but have a house that sticks out as clearly "rich person's house" will gain you evil looks from your neighbors, as you're "supposed to" live in a different neighborhood where neighbors look more equal, otherwise you again stick out, which is cause for friction culturally.

Lots of culture in Sweden is less about "lets correctly solve the problem" and more "lets ensure the gaping holes aren't so visible for everyone, so we can ignore it properly".

Making snark comments about that sounds very unlikely. More likely they'd have respect for someone living frugally and not showing off. See https://en.wikipedia.org/wiki/Law_of_Jante

We don't talk to our neighbours.

Making snarky comments about it, no, not really. Will some people snoop around? Yes, nosy people can be found everywhere.

Yes and no. You get notified if someone else actually asks for your revenue info and so in practice nobody actually does it.

You get a notification by post if someone requested your info.

What is the harm in this case? Shit people are shit even without information. They would be snark about something else then.

Yep, that tracks.

There's also the underlying current of Jantelagen (Law of Jante) https://en.wikipedia.org/wiki/Law_of_Jante

What's the point of making public how much each person owns? Aside from making you a prime target for kidnappings and targeted advertising?

Because tax is not your bill from 'government Corp ', its your contribution to the community, to your tribe. And we have explicit goals for this, besides bringing revenue (like the strongest back should carry the heaviest burden).

When we have communal contributions in other settings, your contribution is usually not a secret.

It is meant to give the tax system more legitimacy, that you don't gave to wonder if people sneak out of their contribution, you can check. It also leads to yearly debates about the tax system as the list of the richest(usually inherited) is published together with what they pay in income tax vs wealth tax.

Previously you could check up anyone anonymous. These days you have to log inn, and they get a notification. But the list of the richest and their tax contribution gets published in the newspaper.

Tax data is government data. Government data is public data. Instead of asking "what's the reason for making something public" the question is "what's the reason for making a carveout for some specific data to make it secret"

People in safe countries generally do not worry about kidnappings.

why would anyone kidnap you if they own as much as you ?

Newspapers used to publish hospital admissions and discharges, nothing medical but names and dates. Probably a lot of other stuff I'm forgetting.

Let's not forget white pages, those door stopper telephone books containing everyone's name, phone and address that everyone had (along with yellow pages for business listings).

In Sweden the most useful and supported way means that you need this.

1. An identification approved by the EU. You get this from the national Police. (A government agency)

2. An SSN which is your birthday and four extea digits. E.g. 1212121212 is a valid "PNR", you get this from the Tax agency

3. A bank account (you need 1 and 2)

4. A patched Android or iPhone.

5. The BankID a app from a company owner by the banks in Sweden.

6. A Certificate downloaded from your bank to you BankID App

7. A PIN to Protect the key in you BankID App.

8. Normal internet connection.

9. A camera on your phone to read QR code on Service Provider webpage for session initionation

When you sign something the app will send lots of metadata to "the Identity Provider" (BankId), e.g. how much root you have on your phone, if you run known malware, your current ip, and your phone HW info. This is used to calculate a score that you as a "service provider" (i.e. banks, government, companies) can choose to ignore (they usually do)

When you as a Customer either sign in or sign you will see a document that you sign maybe "I give you 100SEK", and who you sign that to. You enter you pin or use biometric to aprove.

(Was this better than an LLM.. Yes)

With cryptographic keys, normally stored on a smartphone. BankID[0] is the most common solution, but there are others. I personally use biometric 2fa to log in, and PIN to sign contracts or pay.

[0]: https://en.wikipedia.org/wiki/BankID_(Sweden)

Just a few years ago this was about to change in Sweden.

But they didn't change it, because "women should be able to look up the men that they date".

How do they have handle identity thefts, spams, etc.?

There are so many ways to misuse these data. Are the residents not concerned about this?

Yeah, nefarious or anonymous people have never used the internet so they could never find out that this was all public information.

public information if they signed an agreement with the Swedish government?

You've got to be a real low-life to collect all of that and put it in a database that is not air-gapped.

It's something akin to a service provider in SAML parlance, if we are to believe reporting. How can it be air-gapped?

And if we are to believe the hacked company, it is a development environment with test data in it. That remains to be seen, but is a risky thing to lie about. If there is production data in the leak, we will surely know about it.

The point of a system like this is specifically that it’s accessible and not air gapped.

Being able to validate that a citizen is a citizen and their ID is valid inherently requires the system be accessible

If you need the data, you cannot have it air gapped. And if it is air gapped, it is still easy to make misstakes.