Data Breach¶
Sensitive data has been stolen, exposed, or accessed without authorization. This may involve personal data (triggering GDPR obligations), trade secrets, financial information, or other confidential data.
Immediate Actions¶
- Assess what data was affected - Personal data? Financial? Health? Trade secrets?
- Determine the scope - How many records? Which systems?
- Identify the cause - How did the breach occur?
- Contain the breach - Stop ongoing data exfiltration
- Preserve evidence - Logs, access records, system images
GDPR Notification Requirements (EU/EEA)¶
If personal data was breached, you may have legal obligations:
72-Hour Rule¶
You must notify the supervisory authority within 72 hours of becoming aware of a breach, unless it's unlikely to result in risk to individuals.
Sweden: Integritetsskyddsmyndigheten (IMY)¶
- Website: imy.se
- Report breach: imy.se/verksamhet/dataskydd/anmala-personuppgiftsincident
- Phone: +46 8 657 61 00
What to Report¶
- Nature of the breach
- Categories and approximate number of data subjects
- Categories and approximate number of records
- Contact details of your DPO
- Likely consequences
- Measures taken or proposed
When to Notify Individuals¶
If the breach is likely to result in high risk to individuals' rights and freedoms, you must also notify the affected individuals without undue delay.
Other EU Supervisory Authorities¶
If your organization operates in multiple EU countries:
| Country | Authority | Website |
|---|---|---|
| Sweden | IMY | imy.se |
| Norway | Datatilsynet | datatilsynet.no |
| Denmark | Datatilsynet | datatilsynet.dk |
| Finland | Tietosuojavaltuutettu | tietosuoja.fi |
| Germany | BfDI (federal) + state authorities | bfdi.bund.de |
| UK | ICO | ico.org.uk |
Check If Data Was Leaked Publicly¶
Have I Been Pwned (Notify Your Users)¶
- Domain search: haveibeenpwned.com/DomainSearch
- Check if your organization's data appeared in known breaches
- Set up domain-wide notifications
Dark Web Monitoring¶
- Flare: flare.systems - Dark web monitoring (commercial)
- SpyCloud: spycloud.com - Breach database (commercial)
- KELA: ke-la.com - Threat intelligence (commercial)
Paste Sites / Breach Forums¶
Attackers often post stolen data on: - Paste sites (Pastebin, etc.) - Hacker forums - Data leak sites (ransomware groups) - Telegram channels
Note: Accessing these requires caution and legal consideration
Industry-Specific Requirements¶
Healthcare (Sweden)¶
- Report to IVO (Inspektionen för vård och omsorg) for patient safety incidents
- Report to IMY for personal data breaches
Financial Services¶
- Report to Finansinspektionen for operational incidents
- NIS2 directive requirements
Critical Infrastructure (NIS2)¶
- Report significant incidents to MSB and sector-specific authorities
- Tighter timelines and requirements
Evidence to Preserve¶
- [ ] Access logs showing unauthorized access
- [ ] Database query logs
- [ ] Network logs showing data exfiltration
- [ ] Email logs (if data sent via email)
- [ ] System images of affected servers
- [ ] Timeline of the breach
Guides & Documentation¶
IMY Breach Notification Guide¶
- Website: imy.se
- Official Swedish guidance
EDPB Guidelines on Breach Notification¶
- Guidelines 9/2022: edpb.europa.eu
- European Data Protection Board guidance with examples
ENISA Breach Notification Guidelines¶
- Website: enisa.europa.eu
- Technical guidance and examples
ICO Breach Assessment Tool (UK)¶
- Tool: ico.org.uk/for-organisations/report-a-breach/personal-data-breach-assessment
- Helps assess if notification is required
Communication Templates¶
Internal Communication¶
- Brief stakeholders on facts only
- Define spokesperson
- Document all communications
External Communication¶
- Be factual and transparent
- Explain what happened and what you're doing
- Provide clear guidance to affected individuals
- Include contact information
Need Help?¶
If your Swedish organization has suffered a data breach:
Apply to HackAid - We can help investigate the breach and preserve evidence for reporting.
Last updated: 2026-01