Personal data incidents nearly doubled in 2025 – Takeaways from the IMY's 2025 annual report

A significant part of the increase is attributable to large-scale data breaches at service providers with numerous data controller clients. A single vulnerability can be sufficient to expose data from multiple organisations simultaneously. This illustrates the dependency risks that arise when many organisations share the same IT solutions or service providers, meaning that an incident at a supplier can quickly become a GDPR problem for many organisations.

Several of the larger incidents were caused by ransomware attacks in which threat actors gained access to organisations' IT environments, extracted data, and subsequently threatened to publish the information. In its report, IMY specifically highlights that two larger incidents during the year involved hostile actors who leaked and published the personal data of large parts of the Swedish population. In both cases, IMY found it warranted to open supervisory investigations. Notably, these incidents align with widely reported breaches affecting the sports administration platform SportAdmin, and a large-scale leak involving the data aggregation service Miljödata, both of which have been subject to regulatory scrutiny in Sweden. 

While a personal data leak does not automatically constitute a breach of the GDPR, IMY emphasises that a systematic approach to data protection reduces the risk of incidents, limits their potential impact, and contributes to overall societal resilience.

The increase may serve as a signal that the risk landscape continues to evolve, and that there are concrete steps to take:

1. Technical and organisational security measures
The GDPR requires organisations to implement appropriate technical and organisational measures to protect personal data. Given the rising number of cyberattacks, it is advisable to regularly assess whether existing safeguards remain adequate, for example with regard to access controls, logging, software updates, and backup routines.

2. Incident management and reporting obligations
Personal data incidents that are likely to result in a risk to individuals' rights and freedoms must be reported to the supervisory authority within 72 hours of the organisation becoming aware of the incident. This requires clear internal procedures for promptly identifying, escalating, and assessing potential incidents. Responsibility for determining whether an incident must be reported to the supervisory authority, and whether affected individuals need to be notified, should be clearly defined.

3. Review of data processors
The increase in incidents linked to service providers makes it particularly timely to review which suppliers process personal data on your behalf, what security measures they apply, and whether data processing agreements contain sufficient requirements regarding security and incident reporting. Security standards must be adequate even for external processors.

Nearly doubling in a single year, the number of reported personal data incidents in Sweden shows no sign of levelling off. Both technical security measures and internal incident management procedures should be in place and regularly reviewed. In the current geopolitical landscape, this also means staying alert to the growing threat from hostile actors, as IMY's report makes clear that hostile parties are already responsible for some of the most serious incidents.