Volvo North America suffered a **ransomware attack** on its HR system provider, **Miljödata**, in August 2023. The **DataCarry ransomware group** breached Miljödata’s **Adato system**—a platform managing employee sick leave and rehabilitation—exfiltrating sensitive data. For Volvo, the attack exposed **employees' first and last names along with Social Security numbers (SSNs)**. While other affected organizations faced broader data leaks (e.g., phone numbers, addresses, emails, and dates of birth), Volvo’s breach was limited to **employee identity data**. The attack disrupted **200 Swedish municipalities** relying on Miljödata’s software, with **1.5 million individuals impacted** overall, including employees from companies like **SAS Airlines** and multiple universities. Miljödata confirmed the breach on **August 25**, three days after detection, and initiated remediation with cybersecurity experts. The stolen data was later **published on the dark web** by DataCarry. Volvo emphasized ongoing monitoring but did not disclose the full scale of its internal exposure beyond SSNs and names.
Source: https://www.theregister.com/2025/09/26/volvo_north_america_confirms_staff/
TPRM report: https://www.rankiteo.com/company/volvo-group
"id": "vol2792427092625",
"linkid": "volvo-group",
"type": "Ransomware",
"date": "8/2023",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Automotive',
'location': 'North America (headquartered in Sweden)',
'name': 'Volvo North America',
'size': 'Large',
'type': 'Private (Automotive Manufacturer)'},
{'customers_affected': '1.5 million individuals '
'(including employees of client '
'organizations)',
'industry': 'HR/Software Services',
'location': 'Sweden',
'name': 'Miljödata',
'type': 'Private (Software Provider)'},
{'customers_affected': 'Current and former employees '
'(joined before June 21, 2021)',
'industry': 'Aviation',
'location': 'Sweden',
'name': 'Swedish Airline (SAS)',
'size': 'Large',
'type': 'Private (Airline)'},
{'customers_affected': 'Employees (data from workplace '
'incident reporting system)',
'industry': 'Government',
'location': 'Stockholm, Sweden',
'name': 'City of Stockholm',
'type': 'Public (Municipality)'},
{'industry': 'Education',
'location': 'Sweden',
'name': 'Chalmers University of Technology',
'type': 'Public (Educational Institution)'},
{'industry': 'Education',
'location': 'Sweden',
'name': 'Karlstad University',
'type': 'Public (Educational Institution)'},
{'industry': 'Education',
'location': 'Sweden',
'name': 'Örebro University',
'type': 'Public (Educational Institution)'},
{'industry': 'Education',
'location': 'Sweden',
'name': 'Lunds University',
'type': 'Public (Educational Institution)'},
{'industry': 'Education',
'location': 'Sweden',
'name': 'Linköping University',
'type': 'Public (Educational Institution)'},
{'industry': 'Education',
'location': 'Sweden',
'name': 'Umeå University',
'type': 'Public (Educational Institution)'},
{'industry': 'Education/Agriculture',
'location': 'Sweden',
'name': 'Swedish University of Agricultural Sciences',
'type': 'Public (Educational Institution)'},
{'customers_affected': 'Public service disruptions',
'industry': 'Government',
'location': 'Sweden',
'name': '200 Swedish Municipalities',
'type': 'Public (Local Governments)'}],
'attack_vector': "Exploitation of vulnerabilities in Miljödata's Adato system "
'(cloud-hosted environment)',
'data_breach': {'data_encryption': "Yes (ransomware encryption of Miljödata's "
'systems)',
'data_exfiltration': 'Yes (data available for download on '
"DataCarry's dark web site)",
'file_types_exposed': ['HR records',
'employee databases',
'workplace incident reports'],
'number_of_records_exposed': '1,500,000 (individuals); '
'870,000 unique email addresses '
'(per HaveIBeenPwned)',
'personally_identifiable_information': ['full names',
'Social Security '
'Numbers (SSNs)',
'phone numbers',
'home addresses',
'genders',
'email addresses',
'dates of birth'],
'sensitivity_of_data': 'High (includes SSNs, employment '
'details, sick leave information)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'employee records',
'workplace incident reports']},
'date_detected': '2023-08-23',
'date_publicly_disclosed': '2023-09-02',
'description': 'Volvo North America announced that attackers accessed '
'employee data after a ransomware attack struck its HR system '
'provider, Miljödata. The DataCarry ransomware group claimed '
"responsibility for the attack on Miljödata's Adato system, "
"which manages workers' sick leave and rehabilitation. The "
'breach exposed names and Social Security Numbers (SSNs) of '
'Volvo employees, among other data types for other affected '
'organizations. The attack disrupted public services across '
'200 Swedish municipalities and impacted multiple universities '
'and companies, including Swedish airline SAS. Approximately '
'1.5 million people were affected overall.',
'impact': {'brand_reputation_impact': 'High (large-scale breach affecting 1.5 '
'million individuals, including '
'employees of major organizations like '
'Volvo and SAS)',
'data_compromised': ['first and last names',
'Social Security Numbers (SSNs)',
'phone numbers',
'home addresses',
'genders',
'email addresses',
'dates of birth',
'sick leave information',
'employee accounts',
'employment information (e.g., role, tenure)',
'workplace incident reports'],
'downtime': 'Disrupted public services across 200 Swedish '
'municipalities (since August 20, 2023)',
'identity_theft_risk': 'High (SSNs and other PII exposed)',
'legal_liabilities': 'Potential regulatory fines under GDPR or '
'other data protection laws; class-action '
'lawsuits from affected individuals',
'operational_impact': 'Disruption of HR and sick leave management '
'systems, public service interruptions, '
'potential delays in workplace '
'rehabilitation processes',
'systems_affected': ["Miljödata's Adato system (cloud-hosted)",
'production environment for workplace '
'incident reporting/monitoring']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (DataCarry offered '
"Miljödata's files for "
'download on dark web '
'site)',
'high_value_targets': ['Adato system (HR/sick leave '
'management)',
'employee databases',
'workplace incident '
'reporting systems']},
'investigation_status': 'Ongoing (as of September 2023, led by Swedish '
'authorities and Miljödata)',
'motivation': 'Financial gain (ransomware), data exfiltration for potential '
'sale on dark web',
'post_incident_analysis': {'corrective_actions': ['Enhanced security of '
'Miljödata-hosted '
'environment',
'Review of security '
'policies/procedures/tools',
'Preventive measures to '
'avoid recurrence'],
'root_causes': ["Vulnerabilities in Miljödata's "
'cloud-hosted Adato system',
'Inadequate security measures to '
'prevent ransomware intrusion']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransomware_strain': 'DataCarry'},
'references': [{'source': 'The Register'},
{'source': "Massachusetts Attorney General's Office "
'(Disclosure PDF by Volvo)'},
{'source': 'Sweden Herald (Interview with Prosecutor Sandra '
'Helgadottir)'},
{'source': 'HaveIBeenPwned'}],
'regulatory_compliance': {'legal_actions': ['Investigation led by Swedish '
'prosecutor Sandra Helgadottir'],
'regulations_violated': ['Potential GDPR violations '
'(EU General Data '
'Protection Regulation)'],
'regulatory_notifications': ['Massachusetts '
"Attorney General's "
'office (disclosure '
'filed by Volvo)']},
'response': {'communication_strategy': ['Disclosure to affected organizations '
'(e.g., Volvo, SAS)',
'Public filings (e.g., Massachusetts '
"Attorney General's office)",
'Media statements'],
'containment_measures': ['Isolation of affected systems',
'Enhanced security of Miljödata-hosted '
'environment'],
'enhanced_monitoring': 'Yes (implemented by Miljödata)',
'incident_response_plan_activated': 'Yes (Miljödata commenced '
'investigation on August 23, '
'2023)',
'law_enforcement_notified': 'Yes (investigation led by Swedish '
'prosecutor Sandra Helgadottir)',
'remediation_measures': ['Review of security policies, '
'procedures, and tools',
'Steps to prevent recurrence of similar '
'incidents'],
'third_party_assistance': 'Yes (cybersecurity experts engaged by '
'Miljödata)'},
'stakeholder_advisories': ['Volvo notified affected employees',
'SAS notified current/former employees (joined '
'before June 21, 2021)',
'City of Stockholm notified employees'],
'threat_actor': 'DataCarry ransomware group',
'title': 'Ransomware Attack on Miljödata Affecting Volvo North America and '
'Other Organizations',
'type': ['ransomware', 'data breach']}