Volvo North America recently disclosed that sensitive employee information was compromised following a ransomware attack targeting its HR software provider, Miljödata. The breach, attributed to the DataCarry ransomware group, exposed names and social security numbers of Volvo staff after cybercriminals infiltrated Miljödata’s cloud-hosted Adato system in August 2025.
The confirmation of Volvo’s affected data came on September 2, several days after Miljödata detected the intrusion on August 23. Miljödata responded by initiating an investigation, collaborating with cybersecurity experts, and enhancing security measures to prevent future incidents, while Volvo Group continues to closely monitor the evolving situation.
DataCarry claimed responsibility for the attack, posting Miljödata’s stolen files on a dark web site for download. Adato, a specialized HR platform used primarily to manage employee sick leave and rehabilitation, became the focal point of the attack. The fallout extended beyond Volvo, impacting other organizations and municipalities across Sweden, since around 80 percent of Sweden’s 290 municipalities use Miljödata’s software.
Some victims suffered broader data exposure, including phone numbers, addresses, gender, and employment details, depending on how they used Adato. According to the Swedish Herald’s prosecutor Sandra Helgadottir, about 1.5 million individuals were impacted, reflecting the large footprint of Miljödata’s clientele.
Swedish airline SAS, which employed Adato until June 2021, confirmed that current and former employees who joined before June 21, 2021, might have had personal and sick leave information exposed. The City of Stockholm was also affected, despite not operating live systems with Miljödata, with data related to workplace incident reporting and employee accounts among the compromised information.
The attack disrupted services in approximately 200 municipalities, and additional victims included several prominent universities such as Chalmers, Karlstad, Lunds, Linköping, Umeå, and the Swedish University of Agricultural Sciences, all of which reported being affected due to Adato usage. Uppsala University avoided the breach by running Adato on-premises.
This incident underscores the substantial downstream risks created by third-party vendor breaches, as malicious actors increasingly target interconnected systems holding large volumes of personal and employment data. Organizations affected are responding with investigations, security upgrades, and disclosures to regulatory authorities, highlighting the critical need to safeguard supply chain platforms and scrutinize cloud-hosted environments for vulnerabilities.