Executive Summary
- Sweden’s privacy authority, IMY, is investigating a data breach at government software supplier Miljödata affecting 1.5 million people.
- Highly sensitive personal data was compromised, including government IDs, medical certificates, and rehabilitation plans.
- The breach disrupted government services in multiple Swedish regions, and the investigation will assess potential GDPR violations.
- The financially motivated ransomware group Datacarry has claimed responsibility for the cyberattack.
Sweden’s Authority for Privacy Protection (IMY) has launched a formal investigation into a significant data breach at Miljödata, a major government software supplier, which has compromised the sensitive personal information of 1.5 million individuals. The breach was discovered after the company experienced system disruptions, followed by a ransom demand of 1.5 Bitcoin from a threat actor to prevent the data from being leaked on the dark web.
The compromised data is extensive, including names, government-issued IDs, birth dates, contact information, and genders. According to the privacy regulator, highly sensitive documents such as medical certificates, rehabilitation plans, and details of occupational injuries were also exposed. The scale of the breach is substantial, affecting a significant portion of Sweden’s 10 million-person population. The data breach tracking service Have I Been Pwned has verified over 870,000 affected accounts so far.
The incident has caused disruptions to government services across at least ten Swedish regions and municipalities that rely on Miljödata’s systems. In response, Minister for Civil Defense Carl-Oskar Bohlin stated, “The government takes issues relating to cyberattacks and IT incidents very seriously, and we understand the concern and uncertainty that cyberattacks can cause.”
The IMY’s investigation will focus on Miljödata as well as several affected administrative units, including the City of Gothenburg and Region Västmanland, to determine if adequate data protection measures were in place as required by the General Data Protection Regulation (GDPR). The audit will assess the company’s technical security controls and response protocols.
Datacarry Ransomware Group Implicated
While Miljödata has not officially named the perpetrator, the Datacarry ransomware group has claimed responsibility for the attack. On September 13, the group listed Miljödata on its data leak site. According to threat intelligence analyst Lidia Lopez of Outpost24, Datacarry is a financially motivated group active since June 2024 that typically targets medium-sized businesses in Europe. The group reportedly uses a leaked version of the Conti ransomware builder in its attacks.
The investigation by Swedish authorities, with assistance from law enforcement and external cybersecurity experts, is ongoing to ascertain the full scope and consequences of the cyberattack. The potential for misuse of the stolen sensitive information remains a primary concern for officials and affected citizens.