In December 2024, Eurail, the company behind the popular Interrail train pass, suffered a data breach that exposed the personal information of 308,777 travelers, according to a notification filed with the Oregon Department of Justice. The stolen data includes names, email addresses, passport numbers, and other personal details, multiple media outlets reported. Eurail said it has secured its systems and is working with cybersecurity specialists to investigate the incident. A sample of the stolen dataset was copied to Telegram, according to eight media sources. Customers who purchased passes through the DiscoverEU program have visual copies of their passports stored, while direct customers do not, the reports added.
Separately, a threat actor calling itself ByteToBreach claims to have published sensitive information from CGI Sverige AB, the Swedish subsidiary of the global IT services firm CGI Group, on the dark web. The leaked data includes source code, passwords, and encryption keys, according to four media sources. CGI Sverige manages critical digital infrastructure for the Swedish government, including systems used by the Swedish Tax Agency (Skatteverket) for BankID login, five media outlets reported. ByteToBreach published the leaked materials on 12 March across multiple open web forums and file-sharing platforms, according to research by the outlet. The leaked repositories appear to originate from an internal CGI GitLab instance, International Cyber Digest reported. The exposed code includes core government platforms: Mina Engagemang citizen services, the Signe electronic signature portal, and the Företrädarregister authorization system, according to the same outlet. The leak also contains database passwords, SMTP credentials, keystore files and embedded Git credentials, the outlet added.
Source code for several programs appears to exist, and from what I can see, the hack looks genuine.
CGI stated that the breach involved only two internal test servers and that no production environments were affected. However, Dagens Nyheter (DN) reported that its review of the leaked files suggests some may originate from production servers, not just test servers. If production servers were compromised, the impact on Swedish e-government services and citizen data could be far more severe than CGI admits. The Myndigheten för civilt försvar (MCF) closed its e-services as a direct response to the CGI leak, the agency confirmed. About 96% of Sweden’s 10.7 million population used e-government services in 2025, according to Eurostat data.
ByteToBreach is a relatively new threat actor, appearing around summer 2025, and is commercially motivated, according to cybersecurity expert Marcus Murray. The group previously attacked Viking Line, two media outlets reported. ByteToBreach documented their attack methodology in the leak release, detailing how they achieved full compromise of CGI Sverige’s infrastructure through a Jenkins CI/CD server, according to the group's own statement. The attack chain involved exploiting Jenkins misconfigurations, escaping from the Docker container to the host, pivoting through SSH private keys, extracting credentials from Java heap dump files, and executing OS commands through SQL copy-to-program pivots, ByteToBreach claimed. This is the same actor behind the Viking Line breach posted one day earlier, suggesting an active campaign against Swedish infrastructure via CGI’s managed services footprint, the group stated.
This compromise belongs clearly to CGI infrastructure.
Another threat actor, Shiny Hunters, claims to have obtained 350 GB of data from the same breach, according to the group. The relationship between ByteToBreach and Shiny Hunters remains unclear; it is unknown whether they are the same group or separate entities. ByteToBreach has made the source code available for free while selling citizen databases and electronic signing documents separately, the group stated. The full extent of the CGI breach remains unknown, including whether production servers were actually affected and what specific data has been accessed or used maliciously. Swedish authorities have not yet announced specific actions in response to the CGI breach. ByteToBreach stated on social media that the compromise belongs clearly to CGI infrastructure. According to ebuildersecurity.com, Swedish IT security expert Anders Nilsson described the hack as appearing genuine based on the source code visible.