Full Report
The Swedish Authority for Privacy Protection (IMY) is investigating a cyberattack on IT systems supplier Miljödata that exposed data belonging to 1.5 million people. [...]
Analysis Summary
# Incident Report: Miljödata Customer Data Leak
## Executive Summary
IT systems supplier Miljödata experienced a cyberattack leading to a significant data breach affecting approximately 1.5 million individuals whose data was supplied to Swedish municipalities. Attackers exfiltrated personal data, demanded a ransom, and subsequently posted the data on the dark web. The Swedish Authority for Privacy Protection (IMY) is now investigating potential GDPR violations concerning security measures and data handling practices.
## Incident Details
- Discovery Date: August 25, 2025 (Date of disclosure by Miljödata)
- Incident Date: Prior to August 25, 2025
- Affected Organization: Miljödata
- Sector: IT Systems Supplier (Serving Municipalities)
- Geography: Sweden
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Prior to August 25, 2025)
- Vector: Not explicitly stated, likely exploiting vulnerabilities in IT systems supplier infrastructure.
- Details: Attackers gained access to Miljödata's IT systems.
### Lateral Movement
- Details: Implied, as the attack resulted in the exfiltration of data belonging to 1.5 million people across systems serving roughly 80% of Sweden's municipalities.
### Data Exfiltration/Impact
- Date/Time: September 13, 2025 (Data posted on dark web by Datacarry)
- Details: Attackers stole personal data belonging to 1.5 million people. Data exposed included names, email addresses, physical addresses, phone numbers, government IDs, and dates of birth. A ransom demand of 1.5 Bitcoin was made.
### Detection & Response
- Date/Time: August 25, 2025 (Disclosure)
- Details: Operational disruptions affected citizens in multiple regions (Halland, Gotland, Skellefteå, Kalmar, Karlstad, and Mönsterås). CERT-SE and the police began immediate investigation. IMY initiated an investigation focusing on Miljödata and key affected municipalities (Gothenburg, Älmhult, Västmanland).
## Attack Methodology
- Initial Access: Not specified in detail.
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Implied successful movement to access/exfiltrate large volumes of dependent customer data.
- Collection: Gathering of PII, including sensitive information, government IDs, and DOBs.
- Exfiltration: Data uploaded to the dark web by the threat group Datacarry on September 13, 2025.
- Impact: Data exposure, operational disruptions for municipalities, and investigation by regulatory bodies.
## Impact Assessment
- Financial: Unknown, but involved a ransom demand of 1.5 BTC.
- Data Breach: Data of up to 1.5 million people exposed. Data included names, emails, physical addresses, phone numbers, government IDs, and dates of birth. Sensitive information was also included in many cases. Have I Been Pwned confirmed data for ~870,000 people.
- Operational: Caused operational disruptions affecting citizens in multiple Swedish regions/municipalities.
- Reputational: Significant regulatory scrutiny from IMY regarding GDPR compliance.
## Indicators of Compromise
- Network indicators: Threat group identified as **Datacarry** posting the data on their dark web portal.
- File indicators: 224MB archive containing stolen data posted publicly.
- Behavioral indicators: Ransom demand relating to data held captive.
## Response Actions
- Containment: Not specified when containment occurred, but the attack was disclosed on August 25.
- Eradication: Not specified.
- Recovery: Not specified, though operational disruptions were reported.
- Regulatory Action: IMY prioritized investigations into Miljödata (security measures) and specific municipalities (data handling), with a focus on children's data and protected identity subjects.
## Lessons Learned
- The security posture of a critical third-party supplier (Miljödata, serving 80% of municipalities) can have vast, cascading impacts across public services.
- Storing highly sensitive personal data, including government IDs and dates of birth, for a large population creates an extreme risk profile, necessitating heightened security standards.
- Public bodies utilizing third-party processors must rigorously examine their partners' security practices and their own downstream data handling protocols.
## Recommendations
- Conduct immediate, comprehensive third-party risk assessments for all critical suppliers that handle sensitive personally identifiable information (PII) on behalf of the organization.
- Enhance data minimization practices: review what sensitive data (e.g., government IDs, DOBs) is being stored, why it is necessary, and whether it can be segmented or pseudonymized.
- Mandate and verify the implementation of robust security controls (e.g., multi-factor authentication, advanced endpoint detection) across all vendor environments that touch core operational or citizen data.