VakteyeVakteye
VAKTEYE
SolutionsPlansAboutContactInsightsCareers
Sign InBook a Demo
Back to Insights
RESEARCH

Sweden's Biggest Data Breaches 2025-2026: What We Can Learn

Feb 28, 2026/7 min read
By Vakteye Team

1.5 million Swedes' personal data ended up on the darknet. Names, government IDs, addresses, and dates of birth, all exfiltrated in a ransomware attack on a platform serving 80% of Sweden's municipalities.

Sweden had a brutal year for data breaches. Between mid-2025 and early 2026, four incidents exposed the personal data of millions, including children, government employees, and sports club members. Each breach followed the same pattern: known weaknesses, slow response, avoidable damage.

If you run a business in Sweden, these aren't distant headlines. They're a preview of what IMY, NIS2, and your customers will hold you accountable for. Here's what happened and what it teaches us about data breach prevention in Sweden.

Miljödata: Ransomware That Hit 80% of Swedish Municipalities

In August 2025, the HR and work environment platform Miljödata was hit by a ransomware attack. The platform's Adato system served roughly 80% of Sweden's municipalities, handling sick leave management, rehabilitation cases, and workplace injury reports.

The attackers exfiltrated records affecting an estimated 1.5 million people before encrypting the systems. Personal data (names, government IDs, addresses, and dates of birth) appeared on darknet marketplaces within weeks.

  • Attack vector: Weaknesses in the company's cloud infrastructure exploited by threat group DataCarry
  • Data exposed: Names, government IDs, email addresses, phone numbers, dates of birth
  • Impact: 1.5 million individuals, approximately 164 municipalities and 4 regions disrupted
  • Timeline: Attack in August 2025, data published on darknet September 13, 2025

Miljödata was a shared-service provider for the vast majority of Swedish municipalities. A single point of compromise cascaded across the entire public sector. This is the supply chain risk that NIS2 Article 21(2)(d) addresses.

The lesson is uncomfortable: a single compromise in a shared-service provider can cascade across the entire public sector. Municipalities had no visibility into Miljödata's security posture.

CGI/BankID: Tax Agency Source Code Exposed

In March 2026, IT services giant CGI confirmed a breach that exposed source code belonging to the Swedish Tax Agency's BankID integration. The breach originated from a compromise of internal infrastructure, including a Jenkins build server, which attackers used to pivot through Docker containers and SSH keys to reach an internal GitLab instance.

The exposed code included authentication logic for Sweden's most critical digital identity system. CGI stated that the incident affected a limited number of internal test servers not in production, but security researchers warned that the leaked source code could be used to identify vulnerabilities in BankID implementations.

  • Attack vector: Jenkins server compromise, Docker escape, SSH key pivoting to internal GitLab
  • Data exposed: Tax Agency source code, BankID integration logic, e-government platform code
  • Impact: Potential downstream risk to all BankID-reliant services
  • Root cause: Insufficient network segmentation and internal access controls

This data breach in Sweden 2025-2026 illustrates a supply chain risk that NIS2 was designed to address. Your security is only as strong as your vendors'.

Sportadmin: 2.1 Million Records Including Children's Data

Sportadmin, a platform used by thousands of Swedish sports clubs, exposed 2.1 million records, including names, addresses, and personal details of children. IMY investigated and issued a SEK 6 million fine on 26 January 2026 (Article 32 GDPR).

Per IMY's official decision summary, Sportadmin had long been aware of weaknesses in its systems and areas with elevated risks of attack, but the company did not do enough to address them. IMY also found that Sportadmin lacked the routines required to detect deficiencies in existing security measures and had no system in place to detect intrusions and intrusion attempts in real time.

  • Attack vector: cyberattack exploiting unpatched, long-known security weaknesses (specific vector not named in IMY's published decision)
  • Data exposed: 2.1 million records, mainly children and young people — names, contact details, personal identity numbers, sport/club affiliation, and sensitive health data
  • Fine: SEK 6 million from IMY (Article 32 GDPR)
  • Root cause per IMY: known weaknesses left unaddressed, no routines to detect security deficiencies, no real-time intrusion detection

Children's data receives special protection under GDPR Article 8. Breaches involving minors attract higher fines and more aggressive enforcement.

Ericsson US: 15,000+ Employee Records

Ericsson disclosed a breach affecting over 15,000 individuals (employees and customers) at its US operations. The incident originated from a voice phishing (vishing) attack on a third-party vendor, which led to unauthorized access to systems containing social security numbers, financial information, and dates of birth.

While the breach occurred in the US, it triggered GDPR obligations because some affected employees were EU citizens on assignment. Cross-border breach notification added weeks of complexity.

  • Data exposed: Social security numbers, financial information, dates of birth for 15,000+ individuals
  • Attack vector: Voice phishing (vishing) targeting a third-party vendor
  • Complication: Cross-border GDPR notification requirements for EU citizens on US assignment

Common patterns across all four breaches

These aren't random events. They share a pattern that repeats across nearly every major data breach in Sweden.

  1. Known vulnerabilities left unpatched for months
  2. Missing or poorly enforced multi-factor authentication
  3. Excessive access privileges: developers and admins with more access than needed
  4. No regular penetration testing or automated security scanning
  5. Slow detection: breaches discovered weeks or months after initial compromise
  6. Third-party and supply chain risk underestimated

What proactive security scanning catches

Automated scanning doesn't prevent all breaches. But it catches the low-hanging fruit that attackers exploit first.

  • Missing security headers (CSP, HSTS, X-Frame-Options)
  • Exposed admin panels and unauthenticated API endpoints
  • Outdated TLS configurations and expired certificates
  • Known CVEs in web-facing infrastructure
  • DNS misconfigurations that enable domain spoofing
  • Cookie security flags missing on session tokens

Multiple breaches above involved weaknesses that external security assessments could have identified. Insufficient access controls, missing network segmentation, and inadequate vendor security measures all have observable indicators.

How exposed is your website?

Vakteye scans for the same vulnerabilities that led to Sweden's biggest breaches. Get a compliance report in minutes, not months.

Start a free scan

NIS2 changes the stakes

Sweden's implementation of the NIS2 directive (Cybersäkerhetslagen) raises the bar. Essential entities face fines up to EUR 10 million or 2% of global revenue. Important entities face EUR 7 million or 1.4%.

NIS2 Article 21 requires risk-based security measures including vulnerability handling, supply chain security, and incident response. Article 23 mandates reporting significant incidents to CERT-SE within 24 hours.

Under NIS2 Article 20, management bodies can be held liable for failing to oversee cybersecurity measures. Article 32(5)(b) allows temporary prohibition of management functions. This isn't just an IT problem anymore.

Every one of the four breaches above would trigger NIS2 reporting obligations. Two of them (Miljödata and CGI) involved entities that likely fall under NIS2's essential or important categories.

Don't wait for your own headline

The pattern is clear: attackers target known weaknesses, regulators fine organizations that should have known better, and customers leave when trust is broken.

Learn from others' mistakes

Vakteye combines automated vulnerability scanning with GDPR and NIS2 compliance checks. Continuous monitoring catches new risks before they become breaches.

See what Vakteye finds

Are you at risk?

Book a compliance demo

We scan your site live during the call and show exactly which risks need attention first.

Book demo
Previous

How Vakteye's Compliance Scanner Works

Next

EDPB 2026: Why Transparency Enforcement Hits Swedish Businesses

Related Articles

RESEARCH5 min read

Meta Pixel pharmacy fine: 45 MSEK and what it means for your website

Apoteket AB and Apohem AB transferred medication purchase data to Meta via the Facebook Pixel. IMY fined them a combined SEK 45 million. Here's what happened and what it means for any site running third-party trackers.

VakteyeVakteye
VAKTEYE

Website compliance checks for consent, policy, tracking and security. Vakteye shows what happened, what needs fixing and the evidence behind it.

Book demo
VakteyeVakteye
Privacy MonitoredContinuously monitored by Vakteye

PRODUCT

  • Plans
  • Trust center
  • Scanner identity
  • Security policy

COMPANY

  • About us
  • Contact
  • Insights
  • FAQ

LEGAL

  • Privacy Policy
  • Terms of Service
  • Cookies Policy
  • Sub-processors
  • Data Rights (GDPR)
  • For visitors

Contact

  • info@vakteye.com
  • LinkedIn

© 2026 Vakteye. All rights reserved.