The original phrasing from the attacker, from the website that put the data up for download/sale, was ”documents (for electronic signing)” which implies that they’re documents that would be signed in said system. I would take all of this with a large helping of salt though. CGI claims it’s not real production data anyway; maybe it is and maybe it’s not.

The best case scenario is in line with what CGI claims: these are lorem ipsum fake docs from an old git repo for a test instance of the system.

OK, let me rephrase that: CGI, while they may "have something to do" with BankID in the sense that they have developed systems that integrate with it, does not itself develop BankID and does not hold any private keys for BankID.

To the best of my understanding it means that a system made by CGI for digital signing of documents (as in: you get something like a PDF from a government agency and need to digitally sign it and send it back) has had its source code and/or some data belonging to it leaked.

Skatteverket, the Swedish tax authority, has been quoted in media as confirming that they use CGI's system for digital document signing but that none of their data nor that of any citizens has been leaked.

https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform...

"One of the government agencies that uses CGI’s services is the Swedish Tax Agency, which was notified of the incident by the company. However, according to the Swedish Tax Agency, its users have nothing to worry about.

“Neither our data nor our users’ data has been leaked. It is a service we use for e-signatures that has been affected, but there is no data from us or our users there,” says Peder Sjölander, IT Director at the Swedish Tax Agency."

I cannot trivially get the whole database, no. But I kind of fail to see what a malicious actor would do with a large database of public information that they couldn’t otherwise do. The system is designed such that you can’t really do a lot of malicious stuff with just public data, and the stuff you can do (scam calls, etc) is probably not meaningfully more effective if you have the whole database than if you do manual lookups or web scraping. I’m open to being proved wrong about that however.

Basically: obviously it's not desirable to have that full database in the hands of a malicious actor but I'm not sure it's such a big deal either. Again, it's public data by design.

No, public information for anyone. You realize that if it's public information, then it's public, and anyone can re-publish it online? There are websites for that. I can get the complete identification number, home address, phone number, etc for any Swedish citizen (that does not have a protected identity) in less than a minute.