STOPCOMMONPASS 🛑

@myuselesscrap No, we did not claim that BankID was directly hacked. We said in the OP that a 'severe data breach has been confirmed' and later clarified this as a supply chain hack, which people can also read for themselves in the article.

@org_scp Yes it is beyond that, but you claim that a digital ID provider has been hacked which is not true. A service that verify a digital identity when it is used may have been hacked via the supply chain, that is not the same as if the digital ID has been hacked.

🚨 BankID is Sweden's defacto National Digital ID based system used across 7,500 services, including govt. 🤖 A severe data breach has been confirmed with hackers claiming they pulled source code, user data and other internal system data. cybernews.com/security/cgi-s…

@darrenpjones Secure systems? Let's face it, if we go by the last 20 years of government, state systems are anything but 'secure' across the board.

A few misleading tweets going around. Let me clear things up.

🚨 HMRC aims to onboard users of the current Gateway system to 'One Login' starting the end of 2026. 🆔 That would basically force existing users to go through One Login digital ID verification to continue to use their GOV.UK accounts. publictechnology.net/2026/03/18/eco…

@myuselesscrap If you read what we said, it was a supply chain hack with CGI who've also attempted to downplay severity. For the moment the investigation is ongoing and there is evidence to suggest that the blast radius is beyond a single IDP.

@org_scp Yes, but BankID was not hacked, only one of thousands of Idp:s where you can use BankID. BankID itself is safe, this particular Idp could be compromised. You could see WHO has used BankID to login, but the actual information of the ID is still safe and can’t be used elsewhere.

@myuselesscrap It was a supply chain hack. Leaked material reportedly included source code, passwords, and encryption keys.

@org_scp BankID was not hacked or got the source code leaked, but some services like an Idp which use BankID. So not as bad as if BankID was the target.

@TAnalysen Yes, but remember, biometric data is immutable. It cannot be changed like a password if stolen.

@org_scp At some point, there should be the possibility to reset your public identiy :)

@fyiqpluto3 Yes, but if you merge such publicly available data with stolen data from a centralised authority, the risk of identity based fraud and other criminality significantly increases.

@org_scp this is the last thing to link up anyone in sweden, you're phone number address and salary is public information

@Sandmanterry55 @jemmm85517813 It's difficult to exclude from this type of geofencing/dragnet technology. It's usually always the case that other members of the public are 'inadvertently' picked-up along with HMRC's targets & there's nothing really stopping them from scrutinising those additional datasets.

@org_scp @jemmm85517813 There are two questions: Who does it track and Who is excluded from tracking? Pretty certain there are a few that are in the News recently that should have some very interesting monetary transactions that probably owe explanations for

🚨 HMRC quietly bought phone-tracking tech that can mimic cell towers & identify nearby devices - a capability usually linked to law enforcement. The purchase, from surveillance vendor Cellxion, reportedly began in 2021 but stayed undisclosed for years. computerweekly.com/news/366639490…

If @DanNeidle et al didn't expose the recent Companies House vulnerability, it could have developed into something even more serious. But the fact that the issue existed since October 2025, prior to mandatory One Login use, is absolutely disgraceful. taxpolicy.org.uk/2026/03/13/com…

If history is anything to go by, then expect similar or even greater state incompetence - like HMRC in 2007, when they “lost” 25 million records helping to put the nail in the coffin of the Identity Cards Act. spiked-online.com/2026/03/15/lab…

@darrenpjones The private industry doesn't legislate in the way that govt does & has even higher guardrails as well as optionality. You are relying on platitudes & fallacies with safe, low-stake comparisons to sell something that Britons are understandably very unnerved about.

I saw this tweet and wanted to respond. Digital ID will be voluntary.

The statement by UK Biobank's chief exec about re-identification & the overall 'trust me bro', re: no emails or addresses were leaked, is poor & inaccurate. In the wrong hands, exposed identifiers can build a bigger picture leading back to email & personal addresses.

This is extremely concerning. Since last year, journalist @AndrewOrlowski highlighted the fragility of GOV.UK One Login & its risk to millions of users. Now those same users & more face even greater risk due to this serious vulnerability on Companies House.

@org_scp Just goes to prove that this was never tested properly not even basic exploits!

This is the same Companies House that mandated use GOV.UK One Login since Nov 18th 2025 for directors and PSC's. Ironically, One Login was supposed to reduce fraud but this 'glitch' has furthermore increased the risk of it. taxpolicy.org.uk/2026/03/13/com…

@DanNeidle Unbelievable. The sheer gall of the State pushing One Login while the backend displays such systemic vulnerabilities. Very dangerous.

I see some weird things but this takes the biscuit. A vulnerability in the Companies House website, that let anyone view the private dashboard of any one of the five million registered companies, see directors' personal details. And modify them.

Thanks to @DanNeidle for reporting. @AndrewOrlowski will also be interested in this one.