Incident Types: The types of cybersecurity incidents that have occurred include Ransomware and Breach.

Detection and Response: The company detects and responds to cybersecurity incidents through an incident response plan activated with yes (by miljödata on 2025-08-23), and third party assistance with external cybersecurity experts engaged by miljödata for forensic investigation, and containment measures with isolation of affected systems, containment measures with notification to volvo group, and remediation measures with enhancement of miljödata's hosted environment security, and communication strategy with notification to affected employees via email and postal mail, communication strategy with provision of identity protection services (allstate identity protection pro+), communication strategy with guidance from volvo group's people services team, and enhanced monitoring with yes (implemented by miljödata post-incident), and and third party assistance with cybersecurity experts (unspecified), and containment measures with enhanced security of hosted environment, and recovery measures with preventive measures to avoid future breaches, and communication strategy with data breach notification letters to affected individuals, communication strategy with public disclosure via massachusetts ag, communication strategy with offer of 18-month identity protection (allstate’s identity protection pro+), and and incident response plan activated with yes (miljödata commenced investigation on august 23, 2023), and third party assistance with yes (cybersecurity experts engaged by miljödata), and law enforcement notified with yes (investigation led by swedish prosecutor sandra helgadottir), and containment measures with isolation of affected systems, containment measures with enhanced security of miljödata-hosted environment, and remediation measures with review of security policies, procedures, and tools, remediation measures with steps to prevent recurrence of similar incidents, and communication strategy with disclosure to affected organizations (e.g., volvo, sas), communication strategy with public filings (e.g., massachusetts attorney general's office), communication strategy with media statements, and enhanced monitoring with yes (implemented by miljödata)..

Common Attack Types: The most common types of attacks the company has faced is Ransomware.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are R&D Data, , Database Authentication Information, Private User Data, , Personally Identifiable Information (Pii), Employee Data, Corporate Data, , Personally Identifiable Information (Pii), , Personally Identifiable Information (Pii), Employee Records, , Personally Identifiable Information (Pii), Employee Records, Workplace Incident Reports and .

Incident Response Plan: The company's incident response plan is described as Yes (Miljödata commenced investigation on August 23, 2023).

Third-Party Assistance: The company involves third-party assistance in incident response through external cybersecurity experts engaged by Miljödata for forensic investigation, cybersecurity experts (unspecified), , Yes (cybersecurity experts engaged by Miljödata).

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: enhancement of Miljödata's hosted environment security, , Review of security policies, procedures, and tools, Steps to prevent recurrence of similar incidents, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by isolation of affected systems, notification to volvo group, , enhanced security of hosted environment, , isolation of affected systems, enhanced security of miljödata-hosted environment and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through preventive measures to avoid future breaches, .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Investigation led by Swedish prosecutor Sandra Helgadottir, .

Key Lessons Learned: The key lessons learned from past incidents are importance of third-party vendor security oversight,need for robust vendor management and data-protection policies,proactive measures (e.g., identity protection services) to mitigate harm from breaches.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: expand employee training on recognizing and responding to identity theft risks, implement stricter contractual security requirements for vendors, consider multi-factor authentication (MFA) and encryption for sensitive data shared with vendors and enhance third-party risk assessments and continuous monitoring.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Cybernews, and Source: Swedish Prosecution Authority (media reports), and Source: GBHackers (GBH), and Source: SecurityAffairsDate Accessed: 2025-09-25, and Source: Have I Been Pwned (HIBP)Date Accessed: 2025-09-25, and Source: Volvo Group North America data breach notification letterDate Accessed: 2025-09-02, and Source: The Register, and Source: Massachusetts Attorney General's Office (Disclosure PDF by Volvo), and Source: Sweden Herald (Interview with Prosecutor Sandra Helgadottir), and Source: HaveIBeenPwned.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Notification To Affected Employees Via Email And Postal Mail, Provision Of Identity Protection Services (Allstate Identity Protection Pro+), Guidance From Volvo Group'S People Services Team, Data Breach Notification Letters To Affected Individuals, Public Disclosure Via Massachusetts Ag, Offer Of 18-Month Identity Protection (Allstate’S Identity Protection Pro+), Disclosure To Affected Organizations (E.G., Volvo, Sas), Public Filings (E.G., Massachusetts Attorney General'S Office) and Media Statements.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Volvo Group'S People Services Team Available For Employee Support, Identity Protection Services (Allstate Identity Protection Pro+) Offered To Affected Employees, Employees Advised To Monitor Bank/Credit Card Statements For Suspicious Activity, Recommendation To Obtain Free Annual Credit Reports And Place Fraud Alerts/Security Freezes, Enrollment Instructions For Identity Protection Services To Be Sent Via Email And Postal Mail, , Notification To Massachusetts Ag, Internal Communication To Affected Employees, 18-Month Complimentary Identity Protection (Allstate’S Identity Protection Pro+), , Volvo Notified Affected Employees, Sas Notified Current/Former Employees (Joined Before June 21, 2021) and City Of Stockholm Notified Employees.

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as external cybersecurity experts engaged by Miljödata for forensic investigation, yes (implemented by Miljödata post-incident), Cybersecurity Experts (Unspecified), , , , Yes (implemented by Miljödata).

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Miljödata: Forensic Investigation And Security Enhancements, Volvo Group: Review Of Vendor Management And Data-Protection Policies, , Enhanced Security Of Hosted Environment, Preventive Measures For Future Breaches, , Enhanced Security Of Miljödata-Hosted Environment, Review Of Security Policies/Procedures/Tools, Preventive Measures To Avoid Recurrence, .

Last Ransom Demanded: The amount of the last ransom demanded was 1.5 BTC (≈ 147,000 EUR).

Last Attacking Group: The attacking group in the last incident were an Snatch, Datacarry, DataCarry (ransomware group) and DataCarry ransomware group.

Most Recent Incident Detected: The most recent incident detected was on December 2021.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2023-09-02.

Most Significant Data Compromised: The most significant data compromised in an incident were R&D Data, , Database Authentication Information, Private User Data, , noms, adresses, coordonnées (employés et citoyens), données d'entreprises (Volvo, SAS), , first names, last names, Social Security numbers, , names, Social Security numbers, email addresses, physical addresses, phone numbers, government IDs, dates of birth, gender, , first and last names, Social Security Numbers (SSNs), phone numbers, home addresses, genders, email addresses, dates of birth, sick leave information, employee accounts, employment information (e.g., role, tenure), workplace incident reports and .

Most Significant System Affected: The most significant system affected in an incident were MySQL DatabasesRedis Databases and Miljödata's HR management systems and HR software systems (medical certificates, rehabilitation matters, work-related injury reporting) and Miljödata's Adato system (cloud-hosted)production environment for workplace incident reporting/monitoring.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was external cybersecurity experts engaged by Miljödata for forensic investigation, cybersecurity experts (unspecified), , .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were isolation of affected systemsnotification to Volvo Group, enhanced security of hosted environment and Isolation of affected systemsEnhanced security of Miljödata-hosted environment.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were government IDs, first and last names, R&D Data, Social Security Numbers (SSNs), Database Authentication Information, sick leave information, données d'entreprises (Volvo, SAS), last names, names, gender, coordonnées (employés et citoyens), home addresses, dates of birth, adresses, workplace incident reports, employment information (e.g., role, tenure), phone numbers, noms, Social Security numbers, email addresses, physical addresses, first names, genders, employee accounts and Private User Data.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 4.7M.

Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was 1.5 BTC (≈ 147,000 EUR).

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Investigation led by Swedish prosecutor Sandra Helgadottir, .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was proactive measures (e.g., identity protection services) to mitigate harm from breaches.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Monitor account statements and credit reports regularly, enhance third-party risk assessments and continuous monitoring, Implement robust data protection measures for HR systems, Enhance third-party vendor security assessments, implement stricter contractual security requirements for vendors, expand employee training on recognizing and responding to identity theft risks and consider multi-factor authentication (MFA) and encryption for sensitive data shared with vendors.

Most Recent Source: The most recent source of information about an incident are Sweden Herald (Interview with Prosecutor Sandra Helgadottir), GBHackers (GBH), SecurityAffairs, Swedish Prosecution Authority (media reports), Volvo Group North America data breach notification letter, HaveIBeenPwned, Massachusetts Attorney General's Office (Disclosure PDF by Volvo), The Register, Cybernews and Have I Been Pwned (HIBP).

Current Status of Most Recent Investigation: The current status of the most recent investigation is ongoing (no evidence of foreign state involvement).

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Volvo Group's People Services team available for employee support, identity protection services (Allstate Identity Protection Pro+) offered to affected employees, Notification to Massachusetts AG, Internal communication to affected employees, Volvo notified affected employees, SAS notified current/former employees (joined before June 21, 2021), City of Stockholm notified employees, .

Most Recent Customer Advisory: The most recent customer advisory issued were an employees advised to monitor bank/credit card statements for suspicious activityrecommendation to obtain free annual credit reports and place fraud alerts/security freezesenrollment instructions for identity protection services to be sent via email and postal mail and 18-month complimentary identity protection (Allstate’s Identity Protection Pro+).

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was third-party vendor (Miljödata) security vulnerabilitiesdelayed detection of suspicious activity (3 days post-attack), Vulnerabilities in Miljödata's cloud-hosted Adato systemInadequate security measures to prevent ransomware intrusion.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Miljödata: forensic investigation and security enhancementsVolvo Group: review of vendor management and data-protection policies, Enhanced security of hosted environmentPreventive measures for future breaches, Enhanced security of Miljödata-hosted environmentReview of security policies/procedures/toolsPreventive measures to avoid recurrence.