Hands on keyboard showing data breach

Swedish Authority for Privacy Protection Investigates Data Breach Exposing 1.5 Million People

The Swedish Authority for Privacy Protection (IMY) is investigating a data breach at major government software supplier Miljödata that has compromised the personal information of 1.5 million people.

Miljödata learned of the breach after experiencing system disruptions that affected government services, and a threat actor approached the company demanding 1.5 Bitcoin to avoid leaking the stolen information on the dark web.

Miljödata breach leaks sensitive personal information

According to the data breach tracking website Have I Been Pwned (HIBP), the cyber attack affected over 870,000 accounts. It leaked the victims’ names, government-issued IDs, dates of birth, email addresses, phone numbers, physical addresses, and genders.

Some documents compromised include sensitive information such as medical certificates, rehabilitation plans, and occupational injuries. This information is a goldmine for cybercriminals seeking to extort victims by threatening to leak their highly sensitive personal information.

While HIBP reports only half the official figure, the data breach is a significant cybersecurity incident given Sweden’s total population of just 10 million people.

“The environmental data leak meant that a large part of Sweden’s population had their personal data published on the Darknet, in many cases also sensitive data,” the privacy regulator said in an autotranslated statement.

As the data breach continues to unfold, its full impact is still under investigation. So far, confirmed victim organizations include Lund University, with others expected to be affected, potentially including the Swedish military.

“The scope of the incident has not yet been determined, and it is too early to ascertain the actual consequences. Regardless, the government takes issues relating to cyberattacks and IT incidents very seriously, and we understand the concern and uncertainty that cyberattacks can cause,” the Minister for Civil Defense Carl-Oskar Bohlin stated in an X post.

Subsequently, the privacy regulator has launched an investigation with the assistance of law enforcement and external cybersecurity experts to determine the full scope of the cyber incident.

Data breach disrupts government services across numerous regions

Since Miljödata supplies 80% of municipalities, the August 25 data breach affected government services in the Swedish regions of Gotland, Halland, Skellefteå, Kalmar, Karlstad, Kiruna, Luleå, Umeå, Varberg, and Mönsterås.

Meanwhile, IMY has launched an investigation into Miljödata and some affected administrative units to determine if they had adequate data protection measures.

“The Swedish Authority for Privacy Protection (IMY) has decided to initiate investigations in connection with the IT attack against Miljödata and the personal data that was leaked at the time,” it stated. “The audits concern the company Miljödata, as well as two municipalities and one region that have used the company’s services.”

Those administrative regions include the City of Gothenburg, Älmhult Municipality, and Region Västmanland, IMY said.

The audit could uncover potential General Data Protection Regulation (GDPR) violations for seemingly failing to protect the sensitive personal information of millions of Swedes. The European Union law imposes strict regulations on collecting, storing, and processing personal information while giving data owners more control, including the power to demand deletion.

Subsequently, IMY is assessing Miljödata’s technical security controls, response protocols, and potential measures the company could have implemented to prevent the data breach.

Datacarry ransomware attributed to the Miljödata breach

While Miljödata has not released the identity of the threat actor, the Datacarry ransomware group has been attributed to the cyber attack. On September 13, the group took responsibility for the Miljödata data breach by listing the company on its data leak site, which also lists an additional 12 victims.

“Datacarry is a financially-motivated ransomware group active since at least June 2024, the date when they claim to have targeted their first victim,” said Lidia Lopez, Senior Threat Intelligence Analyst at Outpost24. “They maintain a Data Leak Site (DLS) where they publish data from victim companies that didn’t pay the ransom amount requested to recover encrypted files. Datacarry ransomware attacks are presumably opportunistic, but most victims reported so far are medium-size businesses located in European countries.”

First detected in June 2024, the ransomware group does not own a custom encryption tool but relies on the leaked Conti ransomware builder to encrypt files. It has also been observed targeting Fortinet EMS servers affected by the CVE-2023-48788 vulnerability.