This week’s Cyber Intelligence House, Leak of the Week highlights a breach involving Miljödata.se. Miljödata is a Sweden-based software supplier providing HR and workplace health process support widely used by public and private-sector organizations.
In September 2025, a dataset was posted on Datacarry’s TOR leak site, attributed to the Datacarry ransomware group. The dataset contained 186 files (~2.2 GB) consisting of 112 CSV, 17 PERSON, 17 ORG, 17 log, 17 ANSVARIG, 2 xls, 2 txt, 1 xlsx, and 1 doc. The schemas show extensive PII and HR data, including Swedish national IDs, names, contact information, addresses, employment details, union memberships, and working hours.
Five particularly sensitive evidences stand out:
– FTP konton.xlsx – Contains stored credentials and access details for file transfer services.
– scania_person.csv – Employee dataset for Scania, including personal identifiers, contact details, and employment metadata.
– SAS_norge_person.csv – Personnel records for SAS Norway employees, listing names, IDs, and job-related fields.
– gkn_aerospace_person.csv – Aerospace manufacturing workforce records tied to GKN Aerospace.
– volvo_manager_input.csv – Internal management data linked to Volvo, indicating role-based or hierarchical employee information.
These exposures confirm that the breach impacts not only Miljödata but also its enterprise and municipal clients.
Threat actor: Datacarry (first seen in 2025). Platforms: TOR leak portal (group’s onion site) and a public contact at datacarry@riseup.net. Victims attributed to Datacarry include Executive Jet Support (UK), Balcia Insurance (LV), ALB Forex (TR), Mammut Sports Group (CH), and Peggy Sage (FR). The group’s motive remains financial extortion through the double-extortion model of encryption plus publication.
Implications
For Individuals:
1. Exposure of national ID, address, and work details may enable identity theft and fraud.
2. Leaked emails and credentials increase the risk of phishing, credential stuffing, and account compromise.
3. Employment and HR records may be weaponized for extortion and targeted scams.
For Miljödata:
1. Severe GDPR exposure with potential fines and mandatory reporting.
2. Loss of trust and contracts with municipalities and corporate clients.
3. Increased operational disruption and reputational damage.
Supply Chain Risks:
Data from companies such as Volvo, Scania, SAS Norway, and GKN Aerospace indicate downstream compromise. The presence of FTP credentials intensifies third-party risk by exposing system-level access used across client organizations.
CIH’s Recommendations:
– Credential hygiene: Immediately reset all FTP, VPN, and admin credentials identified.
– Third-party risk management: Notify impacted client organizations (Volvo, Scania, SAS, GKN Aerospace) to mitigate exposure.
– Dark-web monitoring: Continuously track Datacarry’s TOR site and mirrors for reposting or wider dissemination of this dataset