The hacker group ByteToBreach claims to have published large amounts of sensitive information from CGI Sweden on the darknet. The leak includes source code, passwords, and encryption keys. The system is used by several Swedish authorities, including Skatteverket, for login with Bank-ID.
CGI states that the incident concerns two internal test servers and no production environments are assessed to be affected. However, files in the leak indicate information may have been from production servers, specifically linked to MCF's e-services. The Swedish Civil Contingencies Agency (MCF) has shut down its e-services as a direct response to the CGI leak.
Several authorities are investigating the suspected intrusion. In a separate incident, personal data from Swedes who bought Interrail tickets is being sold on the darknet after a data breach. The leaked information includes first and last names, dates of birth, gender, country, and passport numbers.
Eurail confirms that data from the breach has been put up for sale on the darknet and parts have been published openly via Telegram. The person or group behind the CGI leak is known for similar intrusions, including recently against Viking Line. ByteToBreach claims to have also obtained a database with personal data and other data it plans to sell separately.
This compromise belongs clearly to CGI infrastructure.
Shiny Hunters claims to have obtained 350 gigabytes of data. The actor has made the source code available for free while selling citizen databases and electronic signing documents separately. ByteToBreach documented their attack methodology in the leak release.
ByteToBreach achieved full compromise of CGI Sverige's infrastructure through a Jenkins CI/CD server. The attack chain involved exploiting Jenkins misconfigurations, escaping from the Docker container to the host via the Jenkins user's Docker group membership, pivoting through SSH private keys and extracting credentials from Java heap dump files and executing OS commands through SQL copy-to-program pivots. This suggests an active campaign against Swedish infrastructure via CGI's managed services footprint.
The leaked repositories appear to originate from an internal CGI GitLab instance. The exposed code includes core government platforms: Mina Engagemang citizen services, the Signe electronic signature portal and the Företrädarregister authorization system. CGI Sverige AB is the Swedish subsidiary of CGI Group, a global IT services firm.
CGI Sverige AB manages critical digital infrastructure for the Swedish government. ByteToBreach published the leaked materials on 12 March across multiple open web forums and file-sharing platforms. CGI stated in an updated statement on 17 March 2026 that the incident is under investigation.
Key unknowns include whether the CGI breach actually compromised production servers or only test servers as claimed by CGI, and the identity and motives of the hacker group(s) behind the CGI breach. Additional unknowns involve the exact number of individuals affected by the Eurail breach and the full scope of the leaked data, and whether the leaked credentials from the CGI breach have been used in any actual attacks on Swedish government systems. The implications for Swedish digital security and critical infrastructure are profound, given the exposure of core government platforms and sensitive passenger data.