Personal data breach following unathorized access at Miljödata

Published:

Updated:

System provider Miljödata has experienced a data breach. Personal information about employees and former employees of the City of Stockholm was stolen and published on Darknet. The City is actively working on response measures.

A large number of municipalities and other organizations have been affected by the data breach at Miljödata. Stolen personal data is also available on Darknet. The city is now investigating what has happened. Affected individuals are being informed, and necessary measures are being taken. The City has reported the personal data breach to the Swedish Authority for Privacy Protection (IMY) and to the police. A preliminary investigation into the data breach is ongoing.

What has happened?

On August 25, the City of Stockholm received information from the system provider Miljödata that their IT environments had been subjected to a data breach. The City has no operational systems with Miljödata, the personal data was in a production environment ahead of the upcoming implementation of a system for reporting and monitoring work environment incidents. 

During the data breach at Miljödata in August, personal data was stolen. It became known on Sunday, September 14, that the stolen personal data was published on Darknet. Darknet is an encrypted part of the internet that requires special software to access.

The personal data that the City of Stockholm shared with Miljödata includes: 

  • personal identification number
  • first name and last name
  • phone and mobile phone (home and/or work)
  • email address (home and/or work)
  • mailing address (home)
  • organizational links (Web ID structure in LISA self-service)
  • employment identity/AD account
  • employment period
  • employment type
  • profession/position (job code).

Who is affected by the personal data incident?

The incident concerns personal information about employees who are or have been employed by the City of Stockholm's administrations (not companies) during the period from 2024 to August 2025.

Are individuals with protected personal data affected?

The City's analysis of the information published on Darknet shows that protected personal data is included in the data that has been stolen. The City takes this incident very seriously and is working intensively to implement the necessary measures. The work is prioritized and handled individually based on the information known to the city. What measures are taken cannot be commented on due to confidentiality. 

Former employees who have left their positions at the City of Stockholm since 2024 and have received protected personal data after their employment was terminated, is asked to contact the department's data protection officer, see contact details below.

What measures has the city taken? 

The City of Stockholm has reported the personal data breach to the Swedish Authority for Privacy Protection (IMY) and to the police. A preliminary investigation into the data breach is ongoing. 

The employees with protected personal data who have been affected are being handled individually and prioritized. 

The City of Stockholm continues to analyze the data that has been disclosed. The City has a close and ongoing dialogue with the system provider Miljödata. 

The city is following the police's criminal investigation.

Likely consequences of the personal data breach

Possible consequences of the incident are that employees risk losing control over their personal data and that the personal data is used in a fraudulent manner. It may involve fraudsters pretending to be a reliable source (such as a bank or a company) to deceive you into disclosing sensitive information such as bank details or passwords.

Pay special attention to:

  • Suspicious emails, phone calls, or other communication that at first glance seems to come from trusted sources.
  • Be skeptical of unexpected contacts. Request to call back (i.e., hang up and call a number you know, or through a known switchboard number).
  • Never identify yourself with, for example, bank-ID unless you are the one who made the contact. Do not click on links or attachments in SMS and such.
  • Be alert if mail is missing, if new bank accounts or phone subscriptions you don’t recognize are opened in your name, or if you receive invoices for goods you didn’t order and letters from credit agencies about credit applications you don’t recognize.
  • If you suspect your information has been misused, you should report this to the police immediately.

Read more about how you can limit any potential harm:

Digital security, MSB website 

Identity fraud, Swedish Tax Agency website

Åtgärder om du har berörts av en personuppgiftsincident, IMY:s webbplats (Swedish)

Har personuppgifter om dig läckt i it-angreppet mot Miljödata? IMY:s webbplats (Swedish)

Contact

Employees and former employees who feel concerned or have questions about what happened should reach out to the data protection officer at the department they are or have been employed at. 

Data Protection Officer, the City of Stockholm website (Swedish)

You can also contact your manager or the HR function at your department.