Swedish DPA launches investigation into massive data breach affecting 1.5M people

Published: 4 November 2025
Last updated: 4 November 2025
swedish-flag-data-breach

The Swedish data protection authority IMY has announced that it will initiate an inquiry into a major data breach, in which personal information of 1.5 million Swedes was stolen.

Back in August, Swedish IT supplier Miljödata was the target of a large-scale ransomware attack, affecting around 200 municipalities and regions, including Gotland, Halland, Kalmar, Varberg, Umeå, Luleå, Kiruna, Mönsterås, Karlstad, and Skellefteå.

The attackers managed to obtain a large amount of personal data, including names, medical certificates, rehabilitation plans, occupational injuries, and other sensitive health information.

ADVERTISEMENT

“The scope of the incident has not yet been determined, and it is too early to ascertain the actual consequences. Regardless, the government takes issues relating to cyberattacks and IT incidents very seriously, and we understand the concern and uncertainty that cyberattacks can cause,” Minister for Civil Defense Carl-Oskar Bohlin stated in a message on X after the incident.

It has been over two months, and a substantial amount of personal information has been published on the dark web, affecting more than 1.5 million people. Since then, IMY has been in contact with Miljödata and several affected businesses. The privacy supervisor has now decided to commence an investigation into the matter.

imy-logo-contacting-miljödata-logo
Image by Cybernews.

“The Miljödata leak meant that a large part of Sweden’s population had their personal data published on the dark web, sensitive data in many cases. The leak raises a number of questions about what the security looked like and what types of personal data have been stored on the systems. Central to us is investigating possible shortcomings that can provide lessons forward, to reduce the risk of this type of event happening again,” Jenny Bård, Head of Camera Surveillance Unit at IMY, says in a statement.

Several businesses and organizations will be reviewed, including Miljödata, the City of Gothenburg, Älmhult municipality, and Västmanland region. The DPA doesn’t rule out that more actors will be investigated.

IMY hasn’t said when the investigation will be completed. The IT supplier hasn’t disclosed how the attackers were able to pull off the ransomware attack.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us
ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked