What Sweden’s recent cyber incidents reveal about its exposure

Recent cybersecurity incidents may have varying names in the headlines, but the underlying structural problem is the same.

The brief:

Sweden’s recent cyber incidents, Miljödata in August 2025, Tietoevry in January 2024, Dorotea and Vilhelmina in April 2026, share a single pattern. The exposure wasn’t purely technical, but organisational. Swedish organisations have built deep operational dependencies on suppliers they can’t monitor, on equipment they can’t always patch in time, and on continuity plans that assume IT will be ready in an instant. If any of these assumptions fail, leaders are held accountable.

This piece looks at what three Swedish incidents reveal about where the real exposure is.

What happened at Miljödata, and what it reveals about supplier concentration

Miljödata is a mid-sized Swedish SaaS vendor whose HR and work-environment software is used by roughly 80% of Swedish municipalities, about 200 of the country’s 290 kommuner, plus 21 regions. On 23 August 2025, attackers encrypted Miljödata’s environment and demanded 1.5 BTC in ransom. Miljödata refused. By mid-September, around 1.5 million Swedes’ personal data had been published on dark-web forums, including medical certificates, rehabilitation plans and work-injury reports.

The root issue was a mid-sized supplier who was responsible for the HR systems of most Swedish local governments. When the supplier fell, every customer fell at the same time.

Sweden’s Data Protection Authority (IMY) opened a formal investigation in October 2025 , not just into Miljödata, the processor, but into the controllers, Region Västmanland, Älmhult, and the City of Gothenburg for their failure to meet GDPR requirements. The buyer is accountable for the suppliers they choose.

Perhaps buying the same solution as the other departments was viewed as procurement efficiency, but the reality was that 200 municipalities bought the same point of failure.

What Tietoevry shows about perimeter and patch-cycle dependency

On the night of 19–20 January 2024, the Akira ransomware group encrypted a virtualisation cluster inside one of Tietoevry’s Swedish data centres. The initial access point was a Cisco ASA / Firepower VPN appliance with an unpatched authentication-bypass vulnerability, CVE-2023-20269. Cisco had published the patch on 11 October 2023. CISA had added the CVE to its known-exploited list on 13 November 2023. The Finnish national cybersecurity centre had warned about the issue twice, even five days before the breach.

The downstream effect lasted weeks. Filmstaden’s online movie ticket service went offline. Roughly 100 stores in the Rusta and Granngården chains closed. Region Uppsala lost healthcare and financial systems. More than 30 government agencies running the Primula HR/payroll system were affected, including, in part, the Swedish Parliament. Munters, a publicly listed Tietoevry customer, had to pre-release its Q4 2023 results because it could no longer guarantee the confidentiality of its financial-consolidation system.

The exposure here was that the patch existed for three months before the attack. The window between “fix is available” and “fix is deployed” is where bad actors operate. Many organisations do not track that time window consistently, if at all.

What Dorotea and Vilhelmina prove about operational readiness

In the early hours of 9 April 2026, Vilhelmina and Dorotea municipality were hit by ransomware. Åsele municipality was affected in a more limited way. Dorotea entered formal crisis mode. Both municipalities lost websites, e-services, and their internal IT estates. The ransomware group posted Dorotea on its leak-site countdown clock with a 24-hour ultimatum. Recovery, according to Dorotea’s municipality director would take several weeks based on historical evidence.

Note the differences in responses:

Dorotea kept home care and childcare running on pen and paper. By doing this, the municipality was able to absorb the impact. Because someone had decided, well in advance, that the staff who cared for the elderly and childcare needed to know how to keep delivering services without a network.

Vilhelmina was still trying to map the scope of the intrusion hours into the response, assessing through the county administrative board whether others had been hit too. This is what a response looks like under pressure, when external coordination matters and you don’t yet know the size of the problem.

The big difference here was preparation. Continuity that had been rehearsed in Dorotea, not only documented.

So what is Sweden’s real exposure?

The three incidents reviewed here demonstrate three points of exposure:

Supplier concentration. Not enough buyers consider dependencies of popular vendors. For this reason, NIS2’s emphasis is on supply-chain risk management.

Edge and patch dependency. Many organizations do not track deployments of patches. Patch SLAs on internet-connected devices aren’t an IT-ops detail, but an operational risk for the board to plan for.

Lack of operational readiness. Not enough municipalities have rehearsed what to do when systems go dark. That resilience needs to be built before it is needed.

None of this requires new threat intelligence. The Swedish security agencies and CERT-SE have been clear about all three exposures for years. What’s changed in 2024–2026 is that the cost of leaving them unaddressed has become very visible with long-lasting effects.

What this means

Miljödata, Tietoevry and the Västerbotten municipalities each expose a different layer of the same problem: structural dependencies that have been allowed to grow without being mapped, owned, or rehearsed. 

That’s the work to be done, and under NIS2, it’s no longer optional.
Start a free NIS2 assessment now

---

Frequently asked questions

What does NIS2 require regarding supplier and supply-chain risk?

NIS2 requires regulated organisations to identify and manage cybersecurity risks across their supply chain , including direct suppliers, sub-contractors and third-party service providers. The Miljödata investigation by IMY signals how this will be enforced in practice: the customer organisation, not just the supplier, is accountable for understanding and mitigating supplier dependencies. Concentration risk , depending on a single supplier shared with peers , is treated as a managed risk, not a procurement question.

Why are Swedish municipalities such frequent ransomware targets?

Swedish municipalities deliver critical welfare services (home care, childcare, elderly care, schools) on relatively constrained IT budgets and frequently share infrastructure or software suppliers across many kommuner. That combination , essential services, time pressure on recovery and concentrated supplier dependencies , makes them attractive to ransomware groups looking for high-leverage targets, and means a single supplier compromise can cascade across dozens of councils simultaneously.