SIMPLIFIED VERSION

CGI Sweden — What happened?

Name: Pentesting.se Security Platform
Brand: Adminor AB
Price: 249 SEK
Availability: InStock
Rating: 4.8 (12 reviews)

A summary for journalists and non-technical readers

By: Pentesting.se / Adminor ABDate: 2026-03-14

What happened?

A hacker stole the complete source code and configuration files from CGI Sweden's e-government platform. This is the platform Swedish government agencies use to digitally identify citizens — for example, when you log in with BankID at a government service.

Among the stolen material are master keys — secret files that make it possible to forge digital IDs. This means someone could theoretically impersonate any Swedish citizen toward all connected government agencies.

Why does it matter?

Imagine someone stole the original stamp that the tax authority uses to stamp passports. With that stamp, anyone can create fake passports that look completely genuine. That is essentially what happened here — but with digital IDs instead of physical passports.

CGI claims these were just "test servers." Our analysis shows real passwords, real keys, and real database credentials — everything needed to access production systems.

What was stolen?

🔑

64 digital key files — at least 20 still valid (until 2027–2034). Like finding 64 keys to locked rooms, where 20 still open the door.

🔓

30+ passwords in plain text — the same password was reused for databases, email, and build systems. Like using the same key for your house, car, and office.

📄

21 complete code repositories — the full blueprints of how the system works, including login, document signing, and data exchange between agencies.

📬

Digital passports for government communication — certificates that prove "I am MSB" or "I am Boverket" in the secure postal system agencies use to exchange documents (SHS). Anyone with the passport can impersonate that agency.

How bad is it?

CRITICAL

Digital ID forgery

With the stolen signing keys, an attacker can create fake logins that look completely genuine — for any Swedish citizen. On top of that, the security controls designed to catch such forgeries were turned off in the configuration.

HIGH

Database access & defense material

The same password was reused across at least 8 different systems. Among those affected is the Swedish Defence Materiel Administration (FMV), whose signing keys were stored in the code repository instead of secure hardware.

MEDIUM

Personal data & spreading risk

National ID numbers were found in the stolen files. The hacker has advertised that citizen databases are being sold separately. There is also an SMS gateway without a password that could be used to send scam messages.

Who is affected?

The following organizations have been confirmed in the stolen material:

MSBSwedish Civil Contingencies Agency — full system configuration stolen

FMVSwedish Defence Materiel Administration — signing keys stolen

KammarkollegietLegal, Financial and Administrative Services Agency — signing certificate valid until 2030

IVOHealth and Social Care Inspectorate — Lex Maria reporting forms

BoverketNational Board of Housing — digital passport for agency communication stolen

Karlstad MunicipalityDigital passport + citizen portal

BolagsverketCompanies Registration Office — integration credentials

Swedish Energy Markets InspectorateCertificate valid until 2030

Folksam & Akademiska HusCustomer configuration for digital signing

At least 7 additional organizations have been identified.

What should happen now?

1All stolen keys and passwords must be replaced — immediately. Every hour that passes means risk of abuse.
2The security controls that were turned off must be re-enabled. The system should not accept unsigned identity proofs.
3All affected agencies must review their logs to check if anyone has already used the stolen material.
4The incident must be reported to the Swedish Privacy Authority (IMY) under GDPR — within 72 hours.
5Keys should be moved to dedicated security hardware (HSM) so they can never be digitally stolen again.

Who is behind it?

The hacker goes by the name ByteToBreach and has been stealing data from airlines, banks, and government agencies in over 10 countries since June 2025. The day before the CGI leak, the same actor published a passenger database from Viking Line.

Read the full technical report:

Full technical report→

For journalists

For additional background, confirmations, and interview requests, contact us at pentesting.se.

This simplified report is based on passive analysis of publicly available data. No active intrusion attempts were made. Specific passwords and file paths have been intentionally omitted.

Contact: Pentesting.se / Adminor AB