1.5 million Swedes' personal data ended up on the darknet. Names, government IDs, addresses, and dates of birth, all exfiltrated in a ransomware attack on a platform serving 80% of Sweden's municipalities.
Sweden had a brutal year for data breaches. Between mid-2025 and early 2026, four incidents exposed the personal data of millions, including children, government employees, and sports club members. Each breach followed the same pattern: known weaknesses, slow response, avoidable damage.
If you run a business in Sweden, these aren't distant headlines. They're a preview of what IMY, NIS2, and your customers will hold you accountable for. Here's what happened and what it teaches us about data breach prevention in Sweden.
Miljödata: Ransomware That Hit 80% of Swedish Municipalities
In August 2025, the HR and work environment platform Miljödata was hit by a ransomware attack. The platform's Adato system served roughly 80% of Sweden's municipalities, handling sick leave management, rehabilitation cases, and workplace injury reports.
The attackers exfiltrated records affecting an estimated 1.5 million people before encrypting the systems. Personal data (names, government IDs, addresses, and dates of birth) appeared on darknet marketplaces within weeks.
- Attack vector: Weaknesses in the company's cloud infrastructure exploited by threat group DataCarry
- Data exposed: Names, government IDs, email addresses, phone numbers, dates of birth
- Impact: 1.5 million individuals, approximately 164 municipalities and 4 regions disrupted
- Timeline: Attack in August 2025, data published on darknet September 13, 2025
Miljödata was a shared-service provider for the vast majority of Swedish municipalities. A single point of compromise cascaded across the entire public sector. This is the supply chain risk that NIS2 Article 21(2)(d) addresses.
The lesson is uncomfortable: a single compromise in a shared-service provider can cascade across the entire public sector. Municipalities had no visibility into Miljödata's security posture.
CGI/BankID: Tax Agency Source Code Exposed
In March 2026, IT services giant CGI confirmed a breach that exposed source code belonging to the Swedish Tax Agency's BankID integration. The breach originated from a compromise of internal infrastructure, including a Jenkins build server, which attackers used to pivot through Docker containers and SSH keys to reach an internal GitLab instance.
The exposed code included authentication logic for Sweden's most critical digital identity system. CGI stated that the incident affected a limited number of internal test servers not in production, but security researchers warned that the leaked source code could be used to identify vulnerabilities in BankID implementations.
- Attack vector: Jenkins server compromise, Docker escape, SSH key pivoting to internal GitLab
- Data exposed: Tax Agency source code, BankID integration logic, e-government platform code
- Impact: Potential downstream risk to all BankID-reliant services
- Root cause: Insufficient network segmentation and internal access controls
This data breach in Sweden 2025-2026 illustrates a supply chain risk that NIS2 was designed to address. Your security is only as strong as your vendors'.
Sportadmin: 2.1 Million Records Including Children's Data
Sportadmin, a platform used by thousands of Swedish sports clubs, exposed 2.1 million records, including names, addresses, and personal details of children. IMY investigated and issued a SEK 6 million fine.
The breach was caused by SQL injection vulnerabilities that IMY found Sportadmin had been aware of. IMY's investigation determined that Sportadmin had insufficient protection against SQL injection attacks despite known long-term risks, combined with excessive user permissions and inadequate code review routines.
- Attack vector: SQL injection exploiting known vulnerabilities in legacy code
- Data exposed: 2.1 million records including names, addresses, and birthdates of children and adults
- Fine: SEK 6 million from IMY
- Root cause: Known SQL injection risks left unaddressed, excessive user permissions, insufficient code review
Children's data receives special protection under GDPR Article 8. Breaches involving minors attract higher fines and more aggressive enforcement.
Ericsson US: 15,000+ Employee Records
Ericsson disclosed a breach affecting over 15,000 individuals (employees and customers) at its US operations. The incident originated from a voice phishing (vishing) attack on a third-party vendor, which led to unauthorized access to systems containing social security numbers, financial information, and dates of birth.
While the breach occurred in the US, it triggered GDPR obligations because some affected employees were EU citizens on assignment. Cross-border breach notification added weeks of complexity.
- Data exposed: Social security numbers, financial information, dates of birth for 15,000+ individuals
- Attack vector: Voice phishing (vishing) targeting a third-party vendor
- Complication: Cross-border GDPR notification requirements for EU citizens on US assignment
Common patterns across all four breaches
These aren't random events. They share a pattern that repeats across nearly every major data breach in Sweden.
- Known vulnerabilities left unpatched for months
- Missing or poorly enforced multi-factor authentication
- Excessive access privileges: developers and admins with more access than needed
- No regular penetration testing or automated security scanning
- Slow detection: breaches discovered weeks or months after initial compromise
- Third-party and supply chain risk underestimated
What proactive security scanning catches
Automated scanning doesn't prevent all breaches. But it catches the low-hanging fruit that attackers exploit first.
- Missing security headers (CSP, HSTS, X-Frame-Options)
- Exposed admin panels and unauthenticated API endpoints
- Outdated TLS configurations and expired certificates
- Known CVEs in web-facing infrastructure
- DNS misconfigurations that enable domain spoofing
- Cookie security flags missing on session tokens
Multiple breaches above involved weaknesses that external security assessments could have identified. Insufficient access controls, missing network segmentation, and inadequate vendor security measures all have observable indicators.
How exposed is your website?
Vakteye scans for the same vulnerabilities that led to Sweden's biggest breaches. Get a compliance report in minutes, not months.
Start a free scanNIS2 changes the stakes
Sweden's implementation of the NIS2 directive (Cybersäkerhetslagen) raises the bar. Essential entities face fines up to EUR 10 million or 2% of global revenue. Important entities face EUR 7 million or 1.4%.
NIS2 Article 21 requires risk-based security measures including vulnerability handling, supply chain security, and incident response. Article 23 mandates reporting significant incidents to CERT-SE within 24 hours.
Under NIS2, management can be held personally liable for failing to implement adequate cybersecurity measures. This isn't just an IT problem anymore.
Every one of the four breaches above would trigger NIS2 reporting obligations. Two of them (Miljödata and CGI) involved entities that likely fall under NIS2's essential or important categories.
Don't wait for your own headline
The pattern is clear: attackers target known weaknesses, regulators fine organizations that should have known better, and customers leave when trust is broken.
Learn from others' mistakes
Vakteye combines automated vulnerability scanning with GDPR and NIS2 compliance checks. Continuous monitoring catches new risks before they become breaches.
See what Vakteye finds