The Swedish Authority for Privacy Protection (IMY) is investigating a cyberattack on IT systems supplier Miljödata that exposed data belonging to 1.5 million people.
Miljödata is an IT systems supplier for roughly 80% of Sweden's municipalities. The company disclosed the incident on August 25, saying that the attackers stole data and demanded 1.5 Bitcoin to not leak it.
The attack caused operational disruptions that affected citizens in multiple regions in the country, including Halland, Gotland, Skellefteå, Kalmar, Karlstad, and Mönsterås.
Because of the large impact, the state monitored the situation from the time of disclosure, with CERT-SE and the police starting to investigate immediately..
According to IMY, the attacker exposed on the dark web data that corresponds to 1.5 million people in the country, creating the basis for investigating potential General Data Protection Regulation (GDPR) violations.
"The Miljödata leak meant that a large portion of Sweden's population had their personal data published on the Darknet — in many cases, even sensitive information," stated IMY's head, Jenny Bård.
"The leak raises a number of questions about the level of security and what types of personal data were stored in the systems."
"Our main focus is to investigate any shortcomings that could provide lessons going forward, in order to reduce the risk of similar incidents happening again."
Due to the extensive impact, IMY has decided to prioritize investigation targets in accordance to the criticality of their operations, limiting it to Miljödata, the City of Gothenburg, the Municipality of Älmhult, and the Region of Västmanland.
Miljödata will be investigated in relation to security measures, while the municipalities will be examined for their data handling practices, with particular focus on children's data, protected identity subjects, and former employees.
Additional entities may be investigated in the future, but there are no such plans for now.
Although no ransomware groups had claimed the attack when Miljödata disclosed the incident, BleepingComputer found that the threat group Datacarry posted the stolen data on its dark web portal on September 13.
Source: BleepingComputer
The threat actors, who list an additional 12 victims on their website, provide a 224MB archive with data allegedly stolen from Miljödata.
Have I Been Pwned has also added to its database the leaked Miljödata information, which contains names, email addresses, physical addresses, phone numbers, government IDs, and dates of birth.
The data breach alerting service reports that the leaked data corresponds to 870,000 people, which is roughly half the figure provided by IMY.
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Comments
NotaSwede - 1 month ago
Full disclosure: I am not a Swedish national, but work in Sweden and am a victim of this leak. I have worked in information security for over 10 years. I have analyzed the leaked data that is downloadable from the dark web.
HaveIbeenPwned has found a number of email addresses. The data is not "uniform", each customer had their own SQL database with quite often, custom fields and little (if any?) data format limitations (yes, that makes it terrible to optimize SQL databases, architecture anyone?). About half of the registered persons, does not have an email address listed. There are obviously doubles as well, since people moved employment. This explains the difference between the numbers HaveIbeenPwned and the Swedish government published.
Apart from 80% of municipalities, several large companies and parts of national government (identities of people in certain military branches have been leaked) have also been a victim of this leak.
1.5 million people amounts to about one in five Swedes.
The data structure of the leak suggests that the attackers dumped SQL tables containing personal ID numbers, email addresses and names and whatever was in the same table, without the attackers looking carefully what the data relevance was.
In a number of cases, the database contained sensitive medical information, but this was apparently not stolen by the attackers, that, or it was at least not leaked in the 224MB dump.
Personal opinion: Miljödata initially claimed no data was stolen since they "had no indication it was". Downplaying and misinforming victims should be an immediate reason for strong fines. Not just for the company, but for the management responsible personally as well. Yes, that might very well bankrupt the company and the people. That is exactly why it should be done. The product can be bought from the bankruptcy and continued by a company that is actually responsible, I have no worries about the continuity of the service that Sweden depends on. What is more important: the people that mistreat this sort of information should know that the punishment is so severe that no other individual or company will ever mistreat data this way ever again.
Delarba - 1 month ago
Hi,
I interesting input! I am a journalist based in Sweden I would like to talk to you for an article about a similar topic.
ciso4lyfe - 1 month ago
I think fines are a good start, however there are so many reasons these types of things keep happening. For the past 5 or so years I have been a CISO and I always tell people that 90% of cyber security is good practice and good digital hygiene, which in an ideal world is true. The biggest challenge I see today is that there exists a large chasm in the communication of technical teams and leadership to the board and executive. I've been in countless meetings with executives and board members trying to explain the nuance and scale that the cyber security problem represents, practicing the most simplistic language I can get my point across only to be told it's too technical. This is followed by the expectation that I simplify the message until it's broken down to its most basic representation which is that it is a huge problem that is going to take not only a concerted effort, but new skills and more people. We need to stop lumping new work on people and expecting them to just absorb it. People need the space to learn, the time to think about what they are doing and the respect to be listened to. The board and executive need to take true accountability by empowering themselves and their people with knowledge, skills and the right tools. I know this is going to sound negative but "More revenue, lower cost!" is likely not be possible for a company that has security challenges they need to overcome. The truth is however that done right more revenue will be entirely possible if you give cyber security your due diligence because those that don’t will lose their clients trust or even their ability to do business. Assigning cyber security responsibility to the CTO, the same guy that has for years been forced to lower costs by cutting corners and reducing headcount is only going to result in the challenges being swept under the rug in the name of “efficiency” resulting in rinse and repeat.