When I read the report about a hacking group called ByteToBreach claiming access to systems tied to Sweden’s BankID e-government platform, my first thought wasn’t “wow, hackers.” It was, “this is what happens when identity gets centralized, outsourced, and treated like a convenience feature.”
In plain terms, the attacker claimed a source code leak, grabbing things like source code, configuration files, and staff related data including personnummer, plus materials connected to electronic signing and identity verification. CGI (the vendor in the story) disputed the scope and said the incident involved limited test servers, not live systems. Sweden’s government also confirmed there was a leak, and the incident response team (CERT-SE) is investigating.
That push and pull matters, because the bigger lesson doesn’t depend on who wins the PR argument. The lesson is simple: biometrics don’t belong in government sized databases, or in contractor ecosystems that eventually feed them.
If a password leaks, I change it. If my face or fingerprints leak, I’m stuck with them.
This Story Really Tells Me About Digital Trust
Here’s the 8th grade version of what I took from the CGI Sweden story on digital identity. A big contractor that supports government digital services allegedly got hit, and data that helps run those services may have been exposed. Some sources describe it as e-government platform source code and related documentation. CGI says it was limited and isolated. Sweden says it’s real enough to investigate.
That’s not a niche problem. It’s the most normal kind of problem we have now: supply chain risk.
“Supply chain” in security doesn’t mean trucks and warehouses. It means trusted helpers. A vendor builds the platform. Another vendor hosts it. A third vendor manages logins and identity verification. A fourth handles electronic signatures. If one helper gets compromised, everyone downstream can feel it.
Reporting around this incident highlights the concern that even “just” source code and configs can be a roadmap for attackers later. If you want context on what was reportedly involved and how Sweden responded publicly, this summary is a decent starting point: Sweden probes reported leak of e-government platform source code.
And since BankID sits in the same neighborhood of digital trust governed by the eIDAS regulation, people naturally asked the scary question: “Was BankID breached?” Several writeups stress that BankID itself wasn’t directly attacked. Still, the ecosystem around identity matters because attackers don’t always punch the front door. They look for a side door.
Even If BankID Wasn’t Breached, The Ecosystem Still Got Weaker
A modern digital identity system is like a theme park wristband. You tap it at the gate, the ride, the snack bar, and the locker. That’s convenient for fraud prevention, until someone figures out how the wristbands are made, validated, or reset.
Even if the “main system” stays intact, leaked source code and configuration details can help attackers in three practical ways:
First, they can study how the platform is supposed to work, then look for mistakes that weren’t obvious before. Second, they can craft scams that sound real because they know the internal language, the file names, and the workflow for services like remote onboarding. Third, they can hunt for similar systems that were deployed with the same settings, because reuse happens everywhere.
Some security commentary about this CGI incident goes further and frames leaked code as a future attack guide. If you want that angle, see Threat Landscape’s advisory on the e-government source code leak.
Biometrics Aren’t Like Passwords, Once They Leak, You’re Stuck With Them
When people say “biometrics,” they usually mean biometric verification with face scans, fingerprints, and sometimes iris scans. The pitch is always the same: it’s quick, it’s easy, and it’s “more secure.”
Sometimes it is more secure, but only in a narrow sense. A fingerprint is harder to guess than “Password123.” That’s true. The trade is that your fingerprint is also not replaceable.
I’m fine using biometrics on my own device when they stay on my device, especially with multi-factor authentication. That’s one reason passkeys are interesting. With passkeys, your face or fingerprint acts as an unlock button for a cryptographic key stored locally. That’s very different from sending a reusable biometric token into a large system like Estonia e-ID. I broke that down in my post on passwordless passkeys using biometrics, and it’s a distinction I wish more policies made clearer, particularly for identity verification.
A national ID system that trends toward face matching raises the stakes. It turns “proof of you” into “a permanent identifier that might get copied, stolen, or repurposed.”
A password is a coat you can change. A biometric identifier is your skin. Treat them differently.
Why I Don’t Want My Biometrics Stored Or Normalized By Any Government Entity
I’m not anti-ID. I travel. I show my ID. I’m not trying to make an officer’s job harder.
My line is simpler: I don’t want my face to become the default ticket to move through public life via identity verification at checkpoints. Once we normalize digital identity programs like that, it spreads. It spreads because it’s “efficient,” because a vendor already has the cameras, because budgets are easier than policy debates, and because most people don’t want to argue at a checkpoint.
The problem is that government digital identity programs using biometrics tend to attract four forces that don’t care about my preferences:
Permanence. Biometrics don’t rotate like passwords, so any breach exposing personally identifiable information has a long tail.
Purpose creep. A system built “just for travel” starts showing up in other places, like mobile driver’s license apps. That’s not a conspiracy, it’s how budgets get justified.
Contractor sprawl. Even if the government writes good rules, it still relies on vendors, subcontractors, and integration partners. The Sweden story with agencies like Bolagsverket and Skatteverket is a reminder that the weakest link might not be the agency itself.
Chilling effects. When facial recognition with liveness detection becomes automatic, people change how they behave. It’s subtle, but real.
I also don’t accept “trust us” as a security plan. Agencies can promise deletion timelines and narrow use cases. Policies can also change. Leadership changes. Laws change. Contractors change. Meanwhile, the database keeps existing.
“Temporary” Programs Have a Habit of Becoming Permanent
The most common pattern I see is the “optional first” rollout.
It starts at a handful of locations. Then it expands. Then the signage gets vague. Then the staff gets trained to keep the line moving, not to explain choices. After a while, opting out feels like you’re asking for a favor.
Some traveler advocacy groups say that’s already happening with TSA airport face scans, mainly because people aren’t clearly told they can refuse. The Algorithmic Justice League has been collecting traveler experiences and pushing the message that you still have a choice. Their campaign page is here: You can opt out of TSA face scans.
Centralized Identity Plus Biometrics Raises the Stakes for Everyone
A single login for many services sounds great until you picture failure modes.
If identity is used for banking, benefits, healthcare portals, travel, and document signing, then one breach is no longer “just” one breach. It’s the key ring.
That’s also why vendor incidents bother me more than one-off hacks. When contractors build shared plumbing for many agencies, the blast radius grows. Even if the leaked system is “just a test environment,” people reuse patterns, code, and settings. Attackers know that.
So when I hear “it’s only for convenience,” I translate it to, “we’re building a reusable mechanism to identify you everywhere.” Convenience is real, but so is the risk.
I Opt Out at Airports and Customs, and You Can Too (In the US)
This is the section I wish someone had handed me years ago.
When a camera shows up at the TSA checkpoint and an agent gestures for me to look at it for facial recognition, I opt out. I do it politely. I do it every time. I do it even when I’m tired, because practice is the whole point.
Here’s what I’m trying to avoid: a world where facial recognition becomes the default, and opting out becomes suspicious behavior. I’d rather make opting out normal while it’s still allowed and relatively easy. This keeps me away from biometric verification altogether.
I also plan extra time. TSA manual lanes can take longer during rush periods. That’s not a punishment, it’s just reality when most people flow through the automated path, complete with liveness checks and QR code scanning for phone-based boarding passes.
And while this post focuses on the US, the principle travels well: you don’t have to hand over more identity data than the situation requires. An ID check is one thing. A reusable biometric record is another.
One extra travel tip while we’re here: airports are a perfect place for digital scams too. If you’re killing time on public Wi-Fi, read my guide on captive portal attacks on airport Wi-Fi. Identity and connectivity risks love the same crowded spaces.
What I Say, Word for Word, When They Ask for a Face Scan
I keep it short. I don’t debate. I don’t explain my politics. I just state a preference.
Here are the exact phrases I use:
“I’d like to opt out of biometric screening, please.”
“I prefer a manual ID check.”
If the agent asks “why,” I don’t take the bait. I just repeat the request. In most cases, the TSA process shifts to the standard manual identity verification, my physical ID, my boarding pass if needed, and the officer looking at my face like we’ve done for decades.
For a plain-English walkthrough of how some travelers handle this, see How to opt out of TSA facial recognition (2026 guide). I don’t agree with every advocacy site’s tone, but the basic scripts match what I do.
If They Pressure Me, Here’s How I Hold the Line Without Escalating
Pressure usually looks like speed, not threats. The line is moving, the agent sounds annoyed, and you feel like you’re holding everyone up. That’s the moment most people comply.
When that happens, I do three things:
I slow my voice down and stay calm. Tension feeds tension.
I repeat the same sentence. Short and boring wins: “I’d like to opt out and do a manual check.”
If needed, I ask for a supervisor. I keep it neutral: “Can you call a supervisor to help me with the TSA opt-out process?”
I don’t argue about facial recognition accuracy, bias, or policy at the podium. That’s not the time. The point is to complete travel and keep your boundary.
Opting out isn’t about causing a scene. It’s about refusing to make biometric collection the default.
The UK’s 2025 Digital ID Push Shows Resistance Works, and Opting Out Is a Form of It
People sometimes tell me, “It’s inevitable.” I don’t buy that.
A good counterexample is the UK’s 2025 digital identity push that heated up in 2025. The plan connected to GOV.UK services and the One Login program, and it triggered a familiar set of concerns: privacy, security, governance driven by KYC AML compliance, and what “optional” would really mean in practice.
The key point for me is this: public skepticism slowed things down. It forced consultation. It made officials explain limits instead of rushing a mandate.
As of March 2026, the UK government is still publishing consultation materials about digital identity, which signals this hasn’t become a simple, settled rollout focused on identity verification to make public services work for citizens. You can see that framing in their own words here: Making public services work with your digital identity.
Press coverage also captured the trust problem at the center of the debate. Here’s one example: Security concerns over the system at the heart of digital ID.
### When Enough People Say “No,” Mandatory Plans Turn Into “Optional” Ones
Public pressure doesn’t always kill a proposal. Sometimes it reshapes it.
That reshaping matters. It can mean longer timelines, tighter rules on beneficial ownership and governance, clearer opt-outs, or stronger oversight. It can also mean a change in messaging, because the “we’re doing this for fraud prevention and to fight identity theft” pitch often lands badly. Governments then pivot to “convenience,” like digital wallets or initiatives such as Secure Start, because convenience is easier to sell.
In other words, resistance works even when you don’t get a dramatic headline, much like the challenges seen in large-scale biometric ID systems such as India’s Aadhaar program.
Opting out at airports is the same kind of resistance, just quieter. Every opt-out is a signal that people want an alternative lane that respects privacy.
My Goal Isn’t to Avoid ID Checks, It’s to Avoid Permanent Biometric Tracking
I want to be crystal clear: I’m not trying to evade identity checks. I’m trying to avoid turning my face into a reusable key that gets scanned, logged, stored, or shared beyond the moment.
The Sweden incident claim (and CGI’s response) is a reminder that even wealthy countries with mature infrastructure still deal with leaks and vendor risk. When those systems include biometric identifiers, the cost of failure isn’t just high. It’s personal.
So I draw a line where it counts: I’ll prove who I am, but I won’t help normalize biometric collection as the default.
Conclusion
The CGI Sweden leak claim involving BankID and e-government services is a warning about how messy digital identity ecosystems get when vendors, code, and electronic signature workflows stack up. Add biometrics to that mix, and every breach becomes harder to recover from, because you can’t replace your face like a password.
In the US, opting out of airport face scans is a real choice many travelers still have, so I use it. Next time you fly, try it politely, plan a little extra time, and tell one other person they can opt out too. If enough of us keep choosing privacy, “scan first” won’t quietly become the new normal.
