Miljödatas leak reveals shortcomings in security management and procurement requirements

Extensive data breach against the public sector

The threat actor behind the breach, the hacker group Datacarry, demanded a ransom and then published the stolen material on the Darknet when payment was not received. The incident led to hundreds of organizations reporting personal data breaches to the Swedish Data Protection Authority (IMY) and raised serious concerns about the protection of sensitive information in the public sector.

Risk management is not optional?

This incident exposes shortcomings in Miljödata's risk management and information security work. The fact that a relatively small supplier handles such extensive and sensitive personal data (even data on protected identities was included in the leak) without being able to prevent a massive data breach indicates that systematic security work has been lacking or insufficient. An information security management system (ISMS) in accordance with the ISO 27001 standard could have provided a structure for continuously identifying and managing risks. The Swedish Civil Contingencies Agency (MSB) describes ISMS as “the organization's processes for governing and managing information security work” that must be evaluated on an ongoing basis and adapted to current risks, with clear support from management. The international ISO 27000 series of standards (including ISO/IEC 27001) offers just such a framework, where the level of security is based on risk analyses and the work follows a clear process. Had Miljödata had a mature security management system in place – with regular security audits, updated procedures and trained staff – vulnerabilities could perhaps have been detected and remedied in time. Although ISO 27001 certification does not guarantee that no incidents will occur, it signals that the organization systematically works with information security and is committed to continuous improvement.

The fact that the attackers managed to exfiltrate such a large amount of data indicates deficiencies in basic protective measures, such as security updates, network segmentation, or monitoring. Risk management appears to have been inadequate – either the risks (such as an exploitable vulnerability) were not identified, or the measures taken were insufficient to stop the intrusion. This raises the question of whether the management of Miljödata really prioritized security work. An ISMS according to ISO 27001 requires active management involvement and the integration of security into the governance of the business. When such involvement is lacking, security initiatives are often neglected, resulting in outdated systems and inadequate preparedness. Miljödata's public updates after the breach do describe technical measures that were taken after the fact (plugging vulnerabilities, resetting accounts, strengthening network restrictions, etc.), but these reactive measures could not prevent the data from actually being stolen and disseminated. Preventive work through a systematic security management system is what was needed even before the attack.

A natural question to ask is: How could so many public sector organizations engage a supplier without ensuring that it met high security requirements? Public authorities and municipalities are legally responsible for the personal data they handle, even when they outsource operations to an external supplier. According to the GDPR, a data controller “may only engage processors who provide sufficient guarantees” that the requirements of the data protection regulation, including security measures, are met. In the case of Miljödata, this means that every municipality, region, or authority that uses Adato should have ensured that the supplier had robust security measures and processes in place. This raises a potential liability issue: have public sector customers really evaluated and imposed sufficient security requirements on Miljödata during procurement and throughout the contract period? If not, they are failing in their statutory duty of care regarding citizens' personal data.

One reason may be that contracting authorities have traditionally focused more on functionality and price than on security. However, the Public Procurement Act (LOU) provides the opportunity to set relevant security requirements. The contracting authority clarifies that it is permissible to require, for example, an information security management system in accordance with ISO 27001 (or equivalent), provided that the requirement is proportionate and linked to what is being procured. In a business where the supplier handles sensitive customer data – such as cloud services or HR systems – such a requirement appears to be both appropriate and proportionate. Procuring organizations can specify in their technical specifications that the service must be developed and operated in accordance with ISO 27001 or an equivalent standard, and request proof (certification or audit) that this is the case. Despite this, few public IT procurements seem to set explicit requirements for certified security management systems. Perhaps they have been satisfied with general formulations that the supplier must have “adequate IT security” or comply with laws such as GDPR – requirements that are difficult to verify and measure if they are not linked to established standards.

In light of Miljödata's leak, it is clear that public sector organizations need to raise the bar. The supplier's security maturity should be examined as early as the procurement stage. Tools and frameworks are available: for example, the Swedish Association of Local Authorities and Regions (SKR) has developed the KLASSA model, where information security requirements are based on SS-ISO/IEC 27001/27002. Several municipalities use KLASSA to classify data and derive appropriate protective measures, which provides a checklist of requirements for IT suppliers. Security requirements should be included early in the requirements specification when new systems are procured – not as an afterthought.

The analysis of the attack shows that the requirements for suppliers must be significantly tightened. General statements about security are not enough – clear requirements must be set for compliance with standards such as ISO 27001 and GDPR, supplemented with concrete technical protections such as encryption, strong access control, and traceable logging.

But it doesn't stop there. A serious procurement process should also take into account the supplier's track record, incident procedures, and ability to recover quickly. In addition, contracts must explicitly regulate liability, response times, and compensation in the event of data leaks or operational disruptions. This provides both the buyer and the supplier with a clear framework for the protection and responsibility that actually applies when the worst happens.

Examples of important security requirements that public sector customers should impose on suppliers of critical IT services:

• Information security management system: according to ISO/IEC 27001 (or equivalent standard) – the supplier must demonstrate that they work systematically with risk management, policies, audits, and continuous improvements.
  
  
• Encryption and access management: All sensitive data must be encrypted both at rest and in transit. Strong authentication (e.g., multi-factor authentication) and strict access control must be in place for system users.
  
  
• Monitoring and testing: The system must have comprehensive logging for traceability and detection of unauthorized activity. Regular penetration tests and vulnerability scans must be performed by the supplier to proactively identify security breaches.
  
  
• Incident and continuity management: The provider must have documented procedures for incident response, regular backups, and a disaster recovery plan. SLA agreements on uptime and response times in the event of incidents should be in place, as well as requirements for immediate reporting of security incidents to the customer.
  
  
• Compliance with laws: The service and the supplier must comply with applicable legal requirements (e.g., GDPR, NIS2 where relevant). Personal data must be stored within approved geographical areas (e.g., within the EU) and the supplier must be able to provide documentation for supervision and auditing.

By specifying and evaluating such requirements at the procurement stage, public purchasers can weed out operators who do not take security seriously. Had this been done with Miljödata, an ultimatum could have been issued to improve/certify security work, or another solution could have been chosen. Unfortunately, it is common for security requirements to be deprioritized in public procurement – sometimes out of ignorance, sometimes out of fear of limiting competition for tenders. But ignoring the security aspect can, as we see, be devastatingly expensive in the long run, both financially and in terms of public confidence.

Public decision-makers must start taking responsibility for security

It is easy to point the finger at an individual supplier that has been hacked, but the responsibility is shared. Public decision-makers—from procurement managers to municipal IT strategists and senior management—must view information security as a strategic issue and a shared responsibility. In many municipalities, IT security is something that “the IT department takes care of.” But when an entire municipality's personnel data is in the hands of an external partner, active ownership is required on the part of the customer.

This involves, among other things:

• Prioritize security at management level: Management in the public sector should request risk reports and security status reports for critical systems, not just cost and efficiency reports. Security incidents should be treated as serious operational risks, not just technical problems.
  
  
• Improve the organization's competence: Decision-makers must ensure that there is sufficient competence to set the right requirements and interpret security reports. If internal knowledge is lacking, experts should be consulted (for example, during procurement or audits) to ensure that important details are not overlooked.
  
  
• Follow up and review: Setting requirements in the contract is only the beginning. Public sector customers must also continuously follow up to ensure that the supplier is meeting the requirements – through audits, reviews, and dialogue. In the Miljödata case, regular independent security reviews could perhaps have identified weaknesses before things went so far.

Decision-makers in the public sector also have a role to play in creating incentives and cultural change. If suppliers know that security is a prerequisite for winning public contracts, they will invest more in preventive measures such as certifications, better internal controls, and staff training. The public sector has considerable purchasing power – clearly signaling that “security first” applies in procurement can drive positive development throughout the industry. As a side effect, this also protects taxpayers' data and maintains confidence in digital services.

Conclusion: Time for stricter requirements and lessons learned from the incident

Miljödata's data leak should serve as a wake-up call. Risk management cannot be neglected by suppliers who handle sensitive information – and customers in the public sector must become better at demanding and verifying this risk management. The ISO 27001 standard is not a magic wand, but it does provide an established baseline for information security that serious players should live up to. When over a million pieces of personal data are leaked as a result of a single supplier's lack of security, it is clear that the status quo is not working.

In the debate that now follows, a few points are central: First, certified security management systems should become the norm for IT suppliers to the public sector – possibly through industry agreements or stricter procurement criteria. Secondly, public sector organizations must realize that responsibility for information security cannot be delegated away; purchasing a cloud service does not mean purchasing immunity from cyber risks. Thirdly, we need a culture where openness and lessons learned from incidents are shared, so that every municipality and authority can benefit from the hard lessons learned from incidents such as the Miljödata attack.

Finally, it is a matter of public trust. The public sector manages residents' data, and with that comes an obligation to protect that information with the utmost care. Inadequate security measures not only jeopardize individuals' privacy but also trust in digital welfare services. Let the Miljödata case be a catalyst for change: strengthen risk management, set strict security requirements, and take responsibility at all levels – before the next major data leak hits the headlines.

Sources:

This analysis is based on reports of the cyberattack against Miljödata in August–September 2025 and guidelines from authorities. The Swedish National Procurement Agency, MSB, and IMY. These sources underscore the scope of the incident and the importance of systematic information security work, and highlight the opportunities and obligations that exist to set security requirements in public procurement.