On August 23, 2025, Swedish human resources software provider Miljödata discovered it had fallen victim to a devastating ransomware attack by the group DataCarry, an incident that ultimately exposed the personal data of 870,000 individuals and sent shockwaves through the Scandinavian business community. The breach affected major corporations including Volvo Group North America, Scandinavian airline SAS, mining company Boliden, and approximately 200 Swedish municipalities. As organizations increasingly rely on third-party HR and enterprise software providers, this attack highlights the urgent need for robust supply chain security practices.
The Threat Landscape
The Miljödata incident is a textbook example of how ransomware groups are increasingly targeting managed service providers and software vendors to maximize their impact. Rather than attacking individual organizations one by one, threat actors compromise a single provider to gain access to data across dozens or even hundreds of downstream clients simultaneously.
The ransomware group DataCarry executed the attack on August 20, 2025, but the breach was not discovered until August 23. By that time, the attackers had already exfiltrated significant volumes of data and published it on their Tor leak site. The compromised systems contained highly sensitive human resources data used by managers and HR departments to handle medical certificates, rehabilitation matters, and the reporting and management of work-related injuries.
According to the data breach notification service Have I Been Pwned, the leaked data includes email addresses, names, physical addresses, phone numbers, government-issued personal identity numbers, dates of birth, and gender information. Volvo Group North America separately disclosed to the Massachusetts Attorney General that employee names and Social Security numbers were among the exposed data.
Core Principles
Organizations must adopt a fundamentally different approach to third-party risk management. The traditional model of trusting vendors based on annual security questionnaires is no longer sufficient. Modern supply chain security requires continuous monitoring, contractual security requirements, and contingency planning for vendor compromise.
The first principle is data minimization. Organizations should share only the absolute minimum necessary data with third-party providers. Miljödata’s systems contained medical certificates, government identity numbers, and work injury reports — all highly sensitive categories that require the highest level of protection. Companies must evaluate whether their HR providers truly need access to every data field they collect.
The second principle is encryption at rest and in transit. If Miljödata’s stored data had been encrypted with keys managed by the client organizations rather than the provider itself, the impact of the ransomware attack would have been significantly reduced. The stolen data would have been unintelligible without the client-held decryption keys.
The third principle is network segmentation. HR software providers should maintain strict separation between client environments. The fact that 25 companies and 200 municipalities were all affected by a single attack suggests that the data was not adequately segmented or that shared infrastructure was compromised.
Tooling and Setup
Organizations looking to strengthen their third-party security posture should implement several key tools and processes. Start with a comprehensive vendor inventory that catalogs every third-party provider with access to sensitive data. For each vendor, document the type of data they can access, the integration method, and the access controls in place.
Deploy a vendor risk management platform that provides continuous monitoring of third-party security postures. Tools like SecurityScorecard, BitSight, or UpGuard can provide real-time visibility into vendor security ratings and alert you to potential compromises before they affect your organization.
Implement contractual security requirements including mandatory incident notification timelines (the three-day delay between the Miljödata attack and its discovery is concerning), right-to-audit clauses, and specific encryption and access control requirements. Ensure contracts include clear liability provisions for data breaches originating from the vendor.
For identity protection specifically, follow Volvo’s lead by pre-arranging identity protection and credit monitoring services that can be rapidly deployed to affected individuals. Volvo Group provided 18 months of complimentary Allstate Identity Protection Pro+ service, including credit monitoring, to affected employees.
Ongoing Vigilance
Supply chain security is not a one-time exercise. Organizations should conduct quarterly vendor security reviews, monitor the dark web for mentions of their vendors in breach-related contexts, and maintain an up-to-date incident response plan that specifically addresses third-party compromise scenarios.
The Miljödata incident also underscores the importance of rapid detection capabilities. The three-day gap between the August 20 attack and its August 23 discovery gave the threat actors ample time to exfiltrate and publish data. Organizations should require their vendors to maintain real-time threat detection and rapid notification capabilities.
Regular tabletop exercises that simulate third-party vendor compromise scenarios help teams prepare for the complex coordination required when a vendor breach is discovered. These exercises should include communication protocols, legal notification requirements, and technical containment procedures.
Final Takeaway
The Miljödata ransomware attack is a stark reminder that your security is only as strong as your weakest vendor link. In an era where ransomware groups specifically target service providers for maximum leverage, organizations must treat third-party risk management as a core security function. With Bitcoin trading at approximately $115,374 and the broader crypto ecosystem growing rapidly, the intersection of digital assets and enterprise security demands even greater attention to protecting sensitive data across the entire supply chain.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
Education is still the biggest barrier to mainstream adoption
education is the barrier but so is UX. telling people to manage their own keys when they cant even update their passwords is a stretch
Volvo Group, SAS, Boliden all hit because their HR provider got breached. third party risk management is where the real security gap is, not individual user practices
The fundamental value proposition of crypto keeps getting stronger
The gap between crypto and TradFi is narrowing fast
the crypto-TradFi gap narrows every time a legacy institution gets breached. centralized data storage is the vulnerability, not the solution
DataCarry hit 200 municipalities through one vendor. thats the real threat model in 2026, not direct attacks but supply chain compromises that multiply the blast radius
one vendor and 200 municipalities compromised. the blast radius of a single supply chain breach scales exponentially with each downstream client
one vendor and 870K records exposed. the math on blast radius for MSP compromises keeps getting worse every year
DataCarry targeted HR software specifically because it has PII for every employee at every client. highest value per breach target imaginable
Volvo Group and SAS having their data exposed through an HR vendor they probably never audited. third party risk management is the real cybersecurity gap
200 municipalities through one vendor. supply chain risk is the actual threat model now, not direct attacks