Volvo North America said attackers accessed employee data after its HR-system provider Miljödata was struck by a ransomware attack in August. The company disclosed that the Breached data included employees’ first and last names and Social Security numbers. Timeline details show Miljödata’s incident occurred on August 20, with discovery three days later and Volvo’s data exposure confirmed on September 2. Massachusetts Attorney General’s disclosure (PDF) notes the sequence and scope of the incident.
Miljödata said it immediately launched an investigation and has since taken steps to strengthen security for its hosted environment, while working with cybersecurity experts to review policies and prevent recurrence. Volvo Group reported that the breach involved the Adato system, which is used to manage workplace incidents and sick leave information.
The DataCarry ransomware group claimed responsibility for the Adato attack and has Miljödata’s files available on its dark-web site, according to the disclosure. In Volvo’s case, the company indicated that only names and Social Security numbers were exfiltrated, with other victims reportedly affected by a broader set of data types in different organizations.
Several have cited HaveIBeenPwned as part of the broader data-tallies, noting that the Miljödata breach includes 870,000 unique email addresses among the stolen files. HaveIBeenPwned provides the breach listing and data types observed across exposed records.
Sweden’s public and educational institutions were also impacted. SAS, the Swedish airline that used Adato until June 2021, confirmed that current and former employees who joined before June 21, 2021 may have had data stolen, including sick-leave information in some cases. Uppsala University said its Adato deployment was on-premises and thus unaffected.
Miljödata serves software to roughly 80 percent of Sweden’s 290 municipalities, and authorities have said the attack disrupted public services across about 200 regions. The City of Stockholm was among authorities affected by the incident, even though it did not operate any systems directly with the IT provider. Prosecutor Sandra Helgadottir told Sweden Herald that about 1.5 million people are impacted by the attack overall, underscoring the breadth of the incident’s consequences.