The Swedish Authority for Privacy Protection (IMY) is investigating a cyberattack on IT systems supplier Miljödata that exposed personal data corresponding to 1.5 million people, the company disclosed on Aug. 25. Miljödata supplies IT systems to roughly 80% of Sweden’s municipalities and said the attackers stole data and demanded 1.5 Bitcoin to avoid leaking it.
The attack caused operational disruptions affecting citizens in multiple regions, including Halland, Gotland, Skellefteå, Kalmar, Karlstad and Mönsterås. The state monitored the situation from the time of disclosure, and CERT‑SE and the police began investigating immediately.
IMY said attackers published the data on the dark web and that the incident provided grounds to investigate possible violations of the EU’s General Data Protection Regulation. IMY head, Jenny Bård said the leak affected a large portion of the population and that in many cases sensitive information was exposed.
Because of the scale, IMY has prioritised investigations of Miljödata, the City of Gothenburg, the Municipality of Älmhult and the Region of Västmanland. IMY said Miljödata will be examined for its security measures while the municipalities will be reviewed for their data handling practices, with particular focus on children’s data, protected identity subjects and former employees; additional entities could be investigated later but none are planned now.
Although no ransomware group had claimed the attack when Miljödata disclosed the incident, the threat group Datacarry posted the stolen files on its dark web portal on Sept. 13 and provided a 224MB archive, according to the listing. The actors list an additional 12 victims on their site.
Have I Been Pwned has also added the Miljödata leak to its database and lists names, email addresses, physical addresses, phone numbers, government IDs and dates of birth among the leaked items; it reports the data corresponds to about 870,000 people, roughly half the figure cited by IMY.