Comment by worldsayshi
1 day ago
I wonder if the focus on source code makes Swedish news slower to jump on this. I haven't seen it in domestic news yet. (Haven't looked too wide though)
1 day ago
I wonder if the focus on source code makes Swedish news slower to jump on this. I haven't seen it in domestic news yet. (Haven't looked too wide though)
I saw it on SVT a few hours ago. DN and Expressen have also reported. The details about what exactly it is that got leaked are unclear (some report it's basically the code and certs responsible for BankID SSO) but this is certainly being reported domestically.
In Aftonbladet comments from CGI they seem to think that no production related data has been leaked:
https://www.aftonbladet.se/nyheter/a/ArvG0E/cgi-sverige-uppg...
But a copy of production data in the test environment isn't production data... It's test data! :)
As if it ever happened that a breached company admitted immediately that they've just been fucked.
some report it's basically the code and certs responsible for BankID SSO
No. CGI has nothing to do with BankID.
IMO the most credible reports suggest that the source code and data involved are related to these four services:
https://www.cgi.com/se/sv/business-process-services/e-tjanst... "Mina engagemang offers a user-friendly and flexible solution that allows your customers to manage their cases directly through a personal portal. Here, users can view, track, and interact with their ongoing cases, which enhances both transparency and efficiency in the communication process." -- some kind of ticket/case management system for gov't agencies
https://www.cgi.com/se/sv/business-process-services/elektron... "With our secure end-to-end e-ID and eSign services, we can help you streamline document and contract management, gain access to all desired e-ID issuers, and improve cost efficiency." -- this sounds like a bad thing to compromise, but is to the best of my understanding a system for digital signatures on documents, and has no relation to BankID
https://www.cgi.com/se/sv/business-process-services/e-tjanst... "Gain better control over your organization’s representatives with our easy-to-use representative registry. By automating the identification and verification of representatives, you’ll gain a clear overview and enhance the security of your processes." -- sounds like some bullshit CRUD app for managing who can "represent" a gov't agency
https://www.cgi.com/se/sv/business-process-services/e-tjanst... "SHS is Sweden’s common standard for information exchange, enabling secure and efficient communication between government agencies, businesses, and organizations." -- this might be bad if real data was leaked
These are services used by various Swedish government agencies and it's pretty bad to have even a test instance of them hacked, but let's calm down. The entire Swedish state has not been compromised here.
> CGI has nothing to do with BankID
That's incorrect. Skatteverket used CGI for BankID-login, I don't know if they still do. I have personal experience working on a BankID-login using CGI for another company and it is still active.
Edit: I just confirmed Skatteverket still uses CGI for BankID-auth. "funktionstjanster" is CGI.
1 reply →