By Independent News Roundup
A hacker group calling itself ByteToBreach has reportedly dumped sensitive source code tied to Sweden’s national digital identity system.
The incident is raising alarm over the risks of centralized control as governments worldwide push similar schemes.
The group claims it breached CGI’s Swedish division and accessed code connected to the nation’s digital identity system, called BankID.
BankID is the single authentication system used by millions of Swedes for banking, taxes, government services, and digital signatures.
Hackers Claim Access to Core Digital Identity Infrastructure
According to reports, the leaked material includes source code, passwords, and encryption keys tied to systems supporting BankID logins for the Swedish Tax Agency.
BankID is not a niche tool as it serves as the backbone of Sweden’s digital infrastructure.
More than 8.6 million people in a country of just over 10 million rely on it for daily life, creating what critics warn is a dangerous single point of failure.
The data reportedly surfaced on a known cybercrime platform called Breached.
Breached is a dark web forum where hacked data is leaked and traded.
Cybercriminals use the platform to post and sell stolen databases.
Shortly after it was leaked on Breached, the site was taken offline as part of a cybersecurity operation, limiting independent verification of the full scope of the hack.
However, it’s unclear how much of the data was sold before the site was taken down.
Separate reports indicate that databases containing personal data and electronic signatures of Swedish citizens are already circulating among cybercriminals, further escalating concerns.
Officials Downplay Incident Despite Serious Exposure
CGI confirmed the breach but characterized it as limited in scope, claiming it involved only internal test servers.
“The incident concerns two internal test servers in Sweden,” the company said.
“The servers are not used in production but are used for testing, connected to a service for a limited number of customers.”
CGI also stated that the attackers accessed an older version of the source code and insisted there was “currently no indication of any impact on customers’ production environments, production data, or operational services. Information to the contrary is not accurate.”
The Swedish Tax Agency echoed that position.
“We take all incidents seriously, but we don’t see anything that affects us right now,” IT Director Peder Sjölander said.
However, cybersecurity experts warn that exposure of source code, even from test environments, can provide attackers with a roadmap to exploit live systems, including authentication flows and security architecture.
Centralized Digital Identity Faces Growing Scrutiny
The breach highlights broader concerns about centralized digital identity systems.
It comes as governments around the world are increasingly adopting centralized digital ID technology.
Sweden’s BankID system has long been promoted as a model for efficiency, allowing citizens to access nearly all services through a single login.
But that convenience comes with systemic risk.
Just last year, a distributed denial-of-service (DDoS) attack temporarily knocked BankID offline.
The attack left millions unable to access financial services, verify identities, or interact with government systems, all at once.
The latest breach claims underscore a deeper vulnerability: when identity is centralized, both outages and security failures can impact entire populations simultaneously.
As governments push forward with similar digital ID frameworks, critics warn that Sweden’s experience may serve as a cautionary example of what happens when critical infrastructure is consolidated into a single, high-value target.
.svg){kind=logo}
