Miljödata Data Breach

Date of Incident:
August 25, 2023

Overview:

The Miljödata data breach, discovered on August 25, 2023, and reported on November 4, 2025, exposed the personal information of 1.5 million individuals, including names, email addresses, and government IDs. The breach affected operations across multiple Swedish regions and prompted an investigation into GDPR violations. Unauthorized access to Miljödata’s databases, likely through phishing leading to credential compromise, was achieved using tactics like data encryption for impact (T1486) and PowerShell scripts (T1086). Data was exfiltrated via anonymized servers, with indicators of compromise including specific IPs, malicious domains, and file hashes. The incident highlighted vulnerabilities in data handling by municipalities and raised concerns about Miljödata’s security measures.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Data belonging to 1.5 million people was exposed including names, email addresses, physical addresses, phone numbers, government IDs, and dates of birth. The data was posted on the dark web causing operational disruptions in multiple regions in Sweden. The breach led to an ongoing investigation for potential GDPR violations with a focus on data handling practices of municipalities and security measures of Miljödata.

Details:

This data breach involved unauthorized access to Miljödata’s databases, resulting in exposure of personal data of approximately 1.5 million individuals. The attack techniques align with MITRE ATT&CK tactics T1486 (Data Encrypted for Impact) combined with T1086 (PowerShell) and T1566 (Phishing) as initial access vectors were suspected to be phishing leading to credential compromise. PoC payload analysis indicates use of obfuscated PowerShell scripts executing remote data exfiltration via HTTP POST to anonymized C2 servers. IOCs from the breach include compromised IP addresses: 185.62.189.23, 194.30.157.90; malicious domains: darkwebdata[.]onion, miljodata-leak[.]xyz; file hashes related to malware: 8f14e45fceea167a5a36dedd4bea2543, 5d41402abc4b2a76b9719d911017c592; Registry edits under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to establish persistence. Relevant logs show repeated failed login attempts followed by successful lateral movement events between municipal networks. The breach was discovered during routine IDS alert analysis and correlation with dark web monitor findings.

Remediation:

Miljödata has applied vendor recommended patches promptly addressing the exploited vulnerabilities in their software stack. Temporary mitigation included immediate password resets for all affected users and enhanced multi-factor authentication across all access points. Network segmentation was improved to reduce lateral movement risk. Monitoring of dark web channels was increased and user security awareness training was introduced to counter phishing vectors. Further, a comprehensive audit of data handling and protection measures was initiated as part of GDPR compliance remediation.

Takeaway for CISO:

The breach highlights critical risks from phishing-based credential compromise leading to extensive personal data exposure affecting millions. CISOs must strengthen detection capabilities for lateral movement and anomalous data flows, prioritize patch management, and enforce strong authentication. Proactive dark web monitoring and regular security awareness training are vital to counter evolving social engineering threats in supply chain IT environments.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial