Sweden Investigates Source Code Leak of E-Government Platform Following CGI Sverige Breach
Learn More
CGI Sverige, the Swedish subsidiary of global IT firm CGI Group, confirmed a cybersecurity incident on March 12, 2026, after a threat actor leaked sensitive government data.
The attacker, known as ByteToBreach, published the source code for Sweden's e-government platform, which supports critical services like BankID logins for the Swedish Tax Agency.
CGI claims the breach only affected two internal test servers but the Swedish Minister of Civil Defense and national security agencies have launched an investigation into the exposure.
The attackers apparently gained access by compromising a Jenkins automation server and performing a Docker escape, which was possible because the Jenkins user belonged to the Docker group. They used SSH private key pivots to move through the network and analyzed local heap dump (.hprof) files to gather intelligence. The threat actor also used SQL copy-to-program pivots to escalate their access and exfiltrate data from the compromised infrastructure. Security experts have verified that the leaked source code and configuration files appear authentic.
The compromised data includes:
- Full source code for the Swedish e-government platform
- Staff database and internal personnel records
- API document signing system and portal configurations
- Jenkins SSH pivot credentials and RCE test endpoints
- Citizen personally identifiable information (PII) databases (sold separately)
- Electronic signing documents and encryption keys (sold separately)
The number of affected individuals is not disclosed, but approximately 95% of Sweden's 10.7 million residents use these digital services. The company has not disclosed the value of the stolen data or any ransom demands.
CGI isolated the affected test servers and stated that production environments and operational services remain secure. Sweden’s national IT incident center, CERT-SE, and the National Cyber Security Center are coordinating the response. BankID officials confirmed their systems were not directly attacked and remain safe for public use, despite the leak of related integration code. The Swedish government continues to monitor the situation to prevent further exploitation of the leaked materials.
The leak of source code allows attackers to find vulnerabilities in public-facing systems that rely on the compromised logic. Security researchers warn that the exposure of signing documents and encryption keys poses a risk to the integrity of Sweden's identity solutions.
