Swedish union Vision has been hit by a major data leak affecting nearly 300,000 people. A feature in their membership application on the website was exploited to fetch details from the state address register. The union has reported the incident to the Swedish Authority for Privacy Protection and urges those affected to watch for fraud attempts.
The Swedish union Vision discovered the leak on October 8 after receiving an unusually high invoice from Spar, the state personal address register. On September 27 and 28, an IT attack targeted Vision's website, where attackers exploited the membership application form. By entering number sequences resembling personal identity numbers, they automatically retrieved details such as names, surnames, and address information for matches in the register.
Those affected are individuals born in 1981, 2000, 2007, and 2011, with no protected identities included. No membership details in Vision were leaked. Caroline Cederquist, Vision's press chief, stated: “We discovered this when we got an invoice with a very high amount from Spar.” She added: “We don't want to speculate on what happened or how it was done. We have reported the incident to the Swedish Authority for Privacy Protection.”
Vision contacted the police, but they deemed it not a crime, instead handling it as a data protection incident by the authority. On October 14, the union sent a mass mailing via Kivra to those affected, stating: “Vision naturally regrets what has happened and asks you to be particularly vigilant against fraud attempts via mail going forward. No other actions need to be taken by you.” Vision hopes to avoid paying the full Spar invoice and advises everyone to be extra alert for fraud attempts.