Ransomware in the Supply Chain: Swedish IT Supplier Gets Hit

Only a couple of weeks after we published an analysis highlighting Sweden’s growing exposure to cyber attacks, a ransomware strike hit Miljödata, an IT software supplier to municipalities and regional governments in Sweden.  Let’s take a deep dive into this incident and what can be learned from it.

What Happened in the Miljödata Ransomware Attack?

Among its various products, Miljödata provides a software system used to manage sick leave, incident reporting, medical certificates, work-environment tracking, and other HR workflows. Municipalities turn to third-party IT suppliers like Miljödata because it’s often more efficient. Rather than every municipality building its own stack, they outsource to vendors who provide standardized, shared platforms.

Miljödata software is built into HR and work environment management for roughly 80% of Swedish municipalities. Here’s what we know so far about the attack:

• Over the weekend of August 25, 2025, Miljödata was hit by a cyber attack, confirmed by its CEO, Erik Hallén. The disruption affected more than 200 municipalities and regional governments across Sweden.
  
• The systems disrupted include those handling medical certificates, rehabilitation, incident & work environment reporting, occupational injuries, and other HR functions.
  
• The attackers reportedly demanded a ransom of 5 Bitcoins (≈ €100,000) in exchange for not leaking sensitive data. Local media warned that “sensitive personal data may have been leaked.”
  
• Miljödata’s own website and e-mail servers came offline; many municipalities issued warnings to citizens in affected regions that their data might have been exposed.

While the deeper technical specifics of how the attack unfolded are yet to be revealed, one thing that’s clear is that the threat actors here have used double extortion.

What Has the Fallout Been Like?

When personal data is involved, the impact is always worse. Being a supply chain attack, however, compounds this problem. Here we have a case of personal information belonging to people working with many different municipalities being compromised.

In fact, things became much worse on September 14, 2025, when over one million Swedes had their data published on the dark web, including at:

Lund University: 16,000 current and former employees affected (those employed from 2008 onward), per the university’s incident page

Linköping University: 11,000 staff impacted; local press cited sensitive personal data published and heightened phishing risk.

Details leaked in the Miljödata cyber attack like personal identity numbers, home addresses, and sick-leave/rehab history, enable targeted phishing, impersonation for benefits fraud, and long-tail extortion. This makes the attack’s impact go well beyond a simple outage window.

Another notable aspect here was how so many municipalities opted for the same software supplier. When one vendor underpins an important function for many organizations and businesses, single attacks can turn into national exposure events. There is likely to be an extended second-wave risk window here with affected Swedes experiencing weeks of spear-phish spoofing HR/rehab cases (“update your medical certificate,” “confirm sick-leave dates”), plus credential-stuffing against edu/public portals using leaked PII.

The perpetrators of the attack have turned out to be a relatively new group on the scene; they call themselves Datacarry, as the Swedish Herald reports. Scant information exists on their tactics and tools used. A ransomware note published on ransomware.live mentions the standard “All files have been encrypted with a strong encryption algorithm.” line. The group claimed responsibility for a separate attack on the popular French beauty brand Peggy Sage.

Takeaways: Supply Chain Fragility and the SME Dimension

Sweden’s high level of digitalisation is rightly celebrated. Municipalities, universities, and businesses alike have streamlined HR, payroll, and reporting processes through specialised platforms, freeing up staff for more meaningful work.

The answer to incidents like the Miljödata ransomware attack is not to retreat to pen-and-paper administration, but to confront the new reality of digital concentration risk. Namely, when many organisations depend on a single supplier, that supplier’s breach becomes a systemic national event.

SMEs, in particular, sit on both sides of the equation. They rely on specialised vendors like Miljödata because they cannot build every system in-house. At the same time, many SMEs provide critical services or software components upstream into larger ecosystems, meaning their vulnerabilities can ripple outward into schools, municipalities, or healthcare providers. That makes them both beneficiaries of digitalisation and potentially prime vectors of compromise.

For SMEs without the luxury of a dedicated SOC or sprawling security stack, DIESEC’s unified platform (powered by Coro) provides exactly the kind of modular protection they need. The solution covers email, endpoint, cloud apps, and identity in a single, lightweight console. There are, importantly, data governance features too, so you can see suspicious exposures of sensitive data, like within the Miljödata tool. Pairing this with DIESEC’s consulting and testing expertise gives Swedish SMEs a way to fulfil their obligations in an increasingly interconnected ecosystem.

To boost your company’s security today, read more about our SME solution.