Sweden's E-Government Source Code Leaked in Major CGI Sverige Breach

The source code powering Sweden's national e-government platform is now circulating freely online. A threat actor named ByteToBreach published the material on March 12, 2026, claiming it was extracted from infrastructure belonging to CGI SverigeAB. The Sweden e-government data breach has already prompted a public response from the country's minister of civil defense, with national cybersecurity authorities now actively investigating.

CGI Sverige is the Swedish subsidiary of global IT outsourcing firm CGI Group. The company manages digital services for Swedish public authorities, making it a single point of failure for a significant portion of the country's digital public infrastructure.

How the CGI Sverige Data Breach Happened

The attack was not opportunistic. Technical details published alongside the leak describe a methodical compromise of CGI Sverige's internal environment. The actor first gained a foothold on internal infrastructure, then escalated through a Jenkins server compromise. From there, a Docker container escape was achieved by exploiting the Jenkins user's membership in the Docker group. SSH private keys were then used to pivot further across the environment. Local .hprof heap dumpfiles were analysed for reconnaissance, and SQL copy-to-program techniques were used to extract data.

The actor ultimately reached an internal CGI GitLab instance. That is where the e-government repositories were accessed and pulled.

What Is Now Publicly Available

The source code is being distributed across the open web with multiple backup mirrors active. The following material has been released for free:

• the full e-government platform source code
• an internal CGI staff database
• API documentsigning systems
• Jenkins SSH pivot credentials
• remote code execution testendpoints
• and initial foothold and jailbreak artifacts.

Citizen PII databases and electronic signing documents were withheld from the free release. Those are being sold separately on dark web marketplaces.

The leaked repositories also contain hardcoded credentials embedded directly in configuration files. Exposed credentials include database passwords, email and SMTP passwords, keystore and truststore passwords, SHS credentials, Signe portal credentials, and Git credentials embedded in .git/config files.

Hardcoded credentials in source code are a serious and well-documented failure. They mean an attacker does not need to breach anything further. The credentials are simply there, readable by anyone who downloads the files. The risk of lateral movement into live systems is significant, and so is the potential for further supply chain compromise across the agencies connected to this platform.

Key Components of Sweden's Digital Infrastructure Now Exposed

Mina Engagemang

This covers the frontend and backend code for citizen-facing applications and case management. It is the layer Swedish residents interact with when accessing public services online.

Signe and e-ID

The leaked files include configuration for the e-signature portal, SAML and OpenSAML metadata for the key service, and signing workflow templates. E-signature systems are foundational to Sweden's digital identity framework. Their exposure puts the integrity of digitally signed government documents in question.

Företrädarregister

This is the authorization registry that governs legal representation of organizations before Swedish authorities. Its source code and configuration being exposed creates a detailed map of how that system works and where it might be manipulated.

SHS Integration

Routing and configuration files for the layer handling secure data exchange between government agencies. Exposure of this infrastructure gives any attacker a clear picture of how inter-agency data flows and where it could be intercepted.

Official Response to the CGI Sverige Data Breach

CGI Sverige confirmed that its cybersecurity team identified an incident involving two internal test servers that were not used in production. The company stated that an older application version and its source code had been accessible, and that there was no indication that customer production data or live operational services were affected. An investigation involving authorities is underway.

Carl-Oskar Bohlin, Sweden's minister of civil defense, publicly confirmed the incident and stated that the government is working with CERT-SE and the National Cyber Security Center to identify those responsible.

The gap between CGI's characterisation of the incident and the scope of what the leak contains remains unresolved. The full dataset has not been independently verified by authorities at the time of publication.

A Pattern, Not an Isolated Incident

This is the second breach ByteToBreach published in 48 hours. The day before this Swedish e-government data breach, the same actor posted a breach affecting a major Scandinavian ferry operator, claiming access to a full passenger database and payment records. Both incidents trace back to CGI infrastructure.

The actor has explicitly framed this as a campaign, pointing to multiple victims and rejecting the characterisation of these incidents as third-party breaches. The implication is that CGI's managed services environment provided a shared route into multiple organisations.

Threat intelligence researchers have described ByteToBreach as an emerging, high-capability actor with a clear focus on European managed service providers. Two major breaches tied to a single contractor within two days points to sustained access, not a one-time intrusion.

Why This Exposure Is Harder to Contain Than a Standard Data Breach

Most breaches expose records. This one exposes architecture. Anyone with the leaked code now has a detailed technical blueprint of how Sweden's e-government platform is built, how its authentication works, how agencies exchange data, and where the logic could be exploited.

According to Eurostat, roughly 95% of Sweden's population of 10.7 million used e-government services as of the most recent figures available. The systems exposed in this breach sit beneath nearly every digital interaction between Swedish residents and the state.

Source code leaks do not expire. The material is already mirrored across multiple locations. Even if every live credential is rotated today, the architectural knowledge in the code remains available to anyone seeking to probe Sweden's public digital infrastructure for weaknesses that have not yet been found or patched.

That is the deeper problem the CGI Sverige breach leaves behind. The immediate incident response addresses what was taken. It does not address what is now known.