Full Report
In August 2025, the Swedish system supplier Miljödata was the victim of a ransomware attack. Following the attack, data was subsequently published on the dark web and included 870k unique email addresses across various compromised files. Data also included names, phone numbers, physical addresses, dates of birth and government-issued personal identity numbers.
Analysis Summary
# Incident Report: Miljödata Ransomware Attack & Data Leak
## Executive Summary
The Swedish system supplier Miljödata suffered a ransomware attack in August 2025, resulting in the exfiltration and subsequent publication of sensitive customer data on the dark web. The breach compromised personal identifiable information (PII) for approximately 870,000 users. Response actions focused on informing affected users to change passwords and enable MFA, though specific details on containment and eradication by the organization were not provided in the source.
## Incident Details
- Discovery Date: September 16, 2025 (Date added to HIBP, actual discovery likely August/September 2025)
- Incident Date: August 2025
- Affected Organization: Miljödata
- Sector: System Supplier (Technology/Services)
- Geography: Sweden
## Timeline of Events
### Initial Access
- Date/Time: August 2025 (Occurred)
- Vector: Not specified, indicative of a ransomware attack.
- Details: Attackers successfully deployed ransomware against Miljödata's systems.
### Lateral Movement
- Details: Not specified, but implied by the scope of data accessed and exfiltrated.
### Data Exfiltration/Impact
- Details: Data, including 870k unique email addresses, names, phone numbers, physical addresses, dates of birth, and government-issued personal identity numbers, was stolen and subsequently published on the dark web.
### Detection & Response
- Details: The breach became publicly known (via HIBP listing) on September 16, 2025. Recommended user actions included changing passwords and enabling Two-Factor Authentication (2FA).
## Attack Methodology
- Initial Access: Ransomware deployment (Method specific not detailed).
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Not specified.
- Collection: Gathering of PII records (Emails, DoB, Government IDs, addresses, phone numbers).
- Exfiltration: Data published on the dark web following the ransomware event.
- Impact: Data confidentiality breach leading to potential identity theft risk for victims.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: PII for $\approx 870,000$ accounts, including names, emails, phone numbers, physical addresses, dates of birth, and government-issued personal identity numbers.
- Operational: Implied significant operational disruption due to ransomware deployment, though recovery details are unknown.
- Reputational: Negative impact following public dark web listing.
## Indicators of Compromise
- Network indicators: None provided (URLs related to remediation/sponsorship only).
- File indicators: None provided.
- Behavioral indicators: Execution of ransomware; unauthorized data exfiltration.
## Response Actions
- Containment: Ransomware containment details not specified.
- Eradication: Ransomware eradication details not specified.
- Recovery actions: User-facing recommendations were issued:
- Change passwords used on Miljödata accounts if they haven't been changed since 2025.
- Enable Two-Factor Authentication (2FA) on all relevant accounts.
## Lessons Learned
- The incident highlights the ongoing severe risk posed by ransomware, which directly led to mass PII exfiltration.
- Reliance on password security alone is insufficient when government IDs and extensive PII are stored.
## Recommendations
- Implement robust endpoint detection and response (EDR) capabilities to detect and halt ransomware deployment earlier.
- Review and enforce least-privilege access across the network to limit potential lateral movement following initial access.
- Enhance data minimization practices to reduce the volume of highly sensitive PII (like government IDs) retained if not strictly necessary for core business functions.
- Mandate and audit multi-factor authentication for all network access points, particularly those allowing connectivity to systems holding sensitive customer data.