Volvo Group North America disclosed a data breach after its third-party HR software supplier, **Miljödata**, suffered a **ransomware attack** in August 2025. The incident exposed **personal data of employees**, including **names, Social Security numbers, email addresses, physical addresses, phone numbers, government IDs, dates of birth, and gender**. The **DataCarry ransomware group** claimed responsibility and leaked **870,000 unique email addresses** and associated sensitive records on the dark web. While Volvo’s internal systems remained uncompromised, the breach impacted HR-related data managed by Miljödata, such as **medical certificates, rehabilitation records, and work-related injury reports**. Affected employees were offered **18 months of free identity protection and credit monitoring** to mitigate risks. The attack also affected other organizations, including **Scandinavian Airlines (SAS), Boliden, and 200 Swedish municipalities**, highlighting the broad impact of the supply-chain compromise.
TPRM report: https://www.rankiteo.com/company/volvo-group
"id": "vol2892928092525",
"linkid": "volvo-group",
"type": "Ransomware",
"date": "8/2025",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'employees (870,000 records '
'exposed)',
'industry': 'automotive',
'location': 'North America',
'name': 'Volvo Group North America',
'type': 'automotive manufacturer'},
{'customers_affected': '25+ companies (including SAS, '
'Boliden, 200 Swedish '
'municipalities)',
'industry': 'technology/HR software',
'location': 'Sweden',
'name': 'Miljödata',
'type': 'IT service provider'},
{'industry': 'aviation',
'location': 'Scandinavia',
'name': 'Scandinavian Airlines (SAS)',
'type': 'airline'},
{'industry': 'mining',
'location': 'Sweden',
'name': 'Boliden',
'type': 'mining company'},
{'industry': 'public sector',
'location': 'Sweden',
'name': '200 Swedish municipalities',
'type': 'government entities'}],
'attack_vector': 'ransomware',
'customer_advisories': ['18-month complimentary identity protection '
'(Allstate’s Identity Protection Pro+)'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['HR databases', 'employee records'],
'number_of_records_exposed': '870,000',
'personally_identifiable_information': ['names',
'email addresses',
'physical addresses',
'phone numbers',
'government IDs',
'dates of birth',
'gender',
'Social Security '
'numbers'],
'sensitivity_of_data': 'high (includes SSNs, government IDs, '
'dates of birth)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'employee records']},
'date_detected': '2025-08-23',
'date_publicly_disclosed': '2025-09-25',
'description': 'Volvo North America disclosed a data breach exposing the '
'personal data of its employees after a ransomware attack on '
'third-party supplier Miljödata. The attack, claimed by the '
'ransomware group DataCarry, impacted at least 25 companies, '
'including Volvo, Scandinavian airline SAS, Boliden, and 200 '
'Swedish municipalities. The compromised systems handled '
'HR-related data such as medical certificates, rehabilitation '
'matters, and work-related injuries. Leaked data included '
'names, Social Security numbers, email addresses, physical '
'addresses, phone numbers, government IDs, dates of birth, and '
'gender, affecting 870,000 accounts. Volvo offered 18 months '
'of free identity protection and credit monitoring to affected '
'individuals.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of sensitive employee data',
'data_compromised': ['names',
'Social Security numbers',
'email addresses',
'physical addresses',
'phone numbers',
'government IDs',
'dates of birth',
'gender'],
'identity_theft_risk': 'High (due to exposure of PII including '
'SSNs and government IDs)',
'operational_impact': 'Disruption to HR and managerial processes '
'for handling employee data',
'systems_affected': ['HR software systems (medical certificates, '
'rehabilitation matters, work-related injury '
'reporting)']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'high_value_targets': ['HR systems',
'employee PII databases']},
'investigation_status': 'Ongoing (as of 2025-09-25)',
'motivation': 'financial (ransomware)',
'post_incident_analysis': {'corrective_actions': ['Enhanced security of '
'hosted environment',
'Preventive measures for '
'future breaches']},
'ransomware': {'data_encryption': True, 'data_exfiltration': True},
'recommendations': ['Monitor account statements and credit reports regularly',
'Enhance third-party vendor security assessments',
'Implement robust data protection measures for HR '
'systems'],
'references': [{'date_accessed': '2025-09-25', 'source': 'SecurityAffairs'},
{'date_accessed': '2025-09-25',
'source': 'Have I Been Pwned (HIBP)'},
{'date_accessed': '2025-09-02',
'source': 'Volvo Group North America data breach notification '
'letter'}],
'regulatory_compliance': {'regulatory_notifications': ['Massachusetts '
'Attorney General']},
'response': {'communication_strategy': ['data breach notification letters to '
'affected individuals',
'public disclosure via Massachusetts '
'AG',
'offer of 18-month identity '
'protection (Allstate’s Identity '
'Protection Pro+)'],
'containment_measures': ['enhanced security of hosted '
'environment'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'recovery_measures': ['preventive measures to avoid future '
'breaches'],
'third_party_assistance': ['cybersecurity experts '
'(unspecified)']},
'stakeholder_advisories': ['Notification to Massachusetts AG',
'Internal communication to affected employees'],
'threat_actor': 'DataCarry (ransomware group)',
'title': 'Volvo North America Data Breach Following Ransomware Attack on IT '
'Provider Miljödata',
'type': ['data breach', 'ransomware attack']}