therecord.media Alexander Martin
August 27th, 2025

A suspected ransomware attack on a Swedish software provider is believed to have impacted around 200 of the country’s municipal governments.

A suspected ransomware attack on Miljödata, a Swedish software provider used for managing sick leave and similar HR reports, is believed to have impacted around 200 of the country’s municipal governments.

The attack was detected on Saturday, according to the company’s chief executive Erik Hallén. The attackers are attempting to extort Miljödata, police told local newspaper BLT.

Swedish Minister for Civil Defence Carl-Oskar Bohlin wrote in a short update on social media: “The scope of the incident has not yet been clarified, and it is too early to determine the actual consequences.”

Hallén told Swedish press agency TT that around 200 municipalities and regions were affected by the incident. Sweden has 290 municipalities and 21 regions.

Several regional governments have confirmed using Miljödata systems to handle employee data, including “for example, medical certificates, rehabilitation plans, work-related injuries, and more,” according to the local government of the island of Gotland.

Hallén reportedly said Miljödata was “working very intensively with external experts to investigate what happened, what and who was affected, and to restore system functionality.”

“The government is receiving ongoing information about the incident and is in close contact with the relevant authorities,” Bohlin, the civil defense minister, said.

“CERT-SE, which has the task of supporting Swedish society in handling and preventing IT security incidents, has offered advice and support to both the company in question and the affected customers,” the minister added. “The national cybersecurity center is coordinating the measures of the relevant authorities. A police investigation is also underway.”

He stressed the incident underscored the need for high levels of cybersecurity throughout society, and said the Swedish government planned to present a new cybersecurity bill to the Swedish parliament in the near future “that will impose increased requirements on a wide range of actors.”

An unsecured server has exposed hundreds of millions of detailed records on Swedish citizens and companies, offering a data goldmine for anyone who stumbles on it.

A misconfigured Elasticsearch server has exposed a goldmine of business intelligence data with hundreds of millions of highly detailed records tied to Swedish individuals and organizations.

Cybernews researchers identified the unsecured database, which did not require any authentication and was fully accessible to the public internet.

The leaked data consisted of over 100 million records dated from 2019 to 2024, spread across 25 separate indices, with some datasets ballooning to more than 200GB in size.

What was leaked?
Many leaked records contained highly sensitive personal and organizational information, including:

Full legal names, including history of previous names
Swedish personal identity numbers
Date of birth and gender
Address history, both in Sweden and abroad
Civil status and information about deceased individuals
Foreign addresses for emigrants
Debt records, payment remarks, bankruptcy history, property ownership indicators
Income tax data spanning several years (2019–2023)
Activity and event logs (including income statement submissions, migration status, and address updates)

No longer a neutral state, Sweden is now facing a wave of cyberattacks targeting key institutions.
Sweden is under attack, Prime Minister Ulf Kristersson said on Wednesday, following three days of disruptions targeting public broadcaster SVT and other key institutions.

"We are exposed to enormous cyberattacks. Those on SVT have now been recognised, but banks and Bank-id have also been affected," Kristersson told journalists in parliament.

The attacks have been identified as Distributed Denial-of-Service (DDoS) events and disrupted services, raising concerns about the resilience of Sweden’s digital infrastructure.

While Kristersson did not name a specific perpetrator, he referred to earlier reports by the Swedish Security Service, which has identified Russia, China, and Iran as frequent actors behind such cyber operations.

The incidents have heightened concerns about vulnerabilities in Sweden’s cybersecurity systems and underscored the growing threat to critical infrastructure in one of the world’s most connected nations, where over 93% of households have internet access.

Cybersecurity experts have warned that such breaches could escalate, impacting not just digital services, but also public trust.

The attacks come amid heightened geopolitical tensions. Sweden's recent accession to NATO and its support for Ukraine have likely made it a more prominent target for cyberattacks, including those originating from hostile states.

Previously known for its military neutrality, Sweden now faces what Kristersson described earlier this year as a "new and more dangerous reality" since joining NATO in 2024.

As part of its pledge to meeting NATO's 2% of GDP defence spending target, the Swedish government has committed to invest heavily in cybersecurity and military capabilities.

Sweden’s Prime Minister Ulf Kristersson told the Munich Security Conference on Saturday that the country didn’t believe a series of submarine cable cuts in the Baltic Sea were simply coincidental.

Another undersea data cable, this time connecting Sweden and Latvia, has been severed in the Baltic Sea, officials from both countries said Sunday. The incident prompted Sweden to launch a criminal probe into the matter and seize a "suspect vessel" vessel headed for Russia.

The Cactus ransomware group claims to have hacked Coop, one of the largest retail and grocery providers in Sweden.