A major cybersecurity incident has shaken Sweden after a data breach at IT systems supplier Miljödata exposed the sensitive personal information of up to 1.5 million citizens. The Swedish Authority for Privacy Protection (IMY) has launched a full-scale investigation into the attack, which could represent one of the country’s largest data privacy violations in recent years.
Miljödata, a key IT provider serving about 80% of Sweden’s municipalities, confirmed that hackers infiltrated its systems and stole massive volumes of data, later demanding 1.5 Bitcoin to avoid public disclosure. The breach, first reported on August 25, caused operational disruptions across several regions including Halland, Gotland, Skellefteå, Kalmar, Karlstad, and Mönsterås, affecting public services and municipal operations.
Following the disclosure, CERT-SE and Swedish police launched immediate investigations, while IMY began assessing potential violations of the EU General Data Protection Regulation (GDPR). According to Jenny Bård, head of IMY, the breach “meant that a large portion of Sweden’s population had their personal data published on the Darknet — in many cases, even sensitive information.” She added that the investigation aims to uncover security weaknesses and identify lessons to prevent similar cyberattacks in the future.
The leaked data, reportedly posted on the dark web by the hacker group Datacarry, includes names, physical addresses, email addresses, government ID numbers, phone numbers, and dates of birth. The criminal group uploaded a 224MB archive of the stolen files on September 13, along with data from 12 other victims. BleepingComputer, which analyzed the breach, confirmed that Datacarry’s dark web portal now lists Miljödata among its major targets.
Interestingly, while IMY’s estimate of 1.5 million affected individuals paints a dire picture, Have I Been Pwned, a global breach alert platform, lists around 870,000 impacted records, suggesting discrepancies in reported figures. Still, the scale of the incident underscores critical gaps in Sweden’s municipal cybersecurity infrastructure, especially given Miljödata’s central role in local government IT systems.
IMY has decided to prioritize investigations into the most critical entities impacted by the breach — including Miljödata, the City of Gothenburg, the Municipality of Älmhult, and the Region of Västmanland. The agency will scrutinize security measures, data handling practices, and the protection of children’s and employees’ data, reflecting the gravity of the event’s potential human impact.
Although no ransomware demand has been publicly confirmed beyond the initial 1.5 Bitcoin request, experts believe this may be part of a broader data extortion campaign targeting municipal IT providers across Europe.
Conclusion
The Miljödata breach serves as a sobering reminder that even trusted government suppliers are not immune to cyberattacks. With millions of citizens’ data circulating on the dark web, the case has reignited urgent discussions about public sector cybersecurity, data privacy enforcement, and the need for stronger regulatory compliance under GDPR. As IMY’s investigation unfolds, Sweden faces mounting pressure to bolster its digital resilience and restore public trust in its critical data systems.
