A misconfigured Elasticsearch server has exposed hundreds of millions of records tied to Swedish citizens and companies. No password. No firewall. Just open to the internet.
The leak was discovered by Cybernews researchers. The server contained over 100 million records, spread across 25 indices. Some datasets were more than 200GB in size. The data ran from 2019 to 2024.
It included:
- Full names, including former names
- Swedish personal identity numbers
- Birth dates, gender, and civil status
- Swedish and foreign address histories
- Tax filings from the past five years
- Income levels and employer information
- Debt, defaults, bankruptcies
- Property ownership indicators
- Logs of migration, address changes, and event triggers
This wasn’t just personal data. It was behavioral and financial intelligence. Structured. Time-stamped. Layered. Enough to reconstruct someone’s life, or dismantle it.
Banks could use it to score risk. Criminals could use it to exploit, impersonate, or extort. Phishing, fraud, competitive surveillance; it’s all possible with this kind of detail.
Where Did It Come From?
The data appears to originate from Risika, a Danish analytics firm that provides business intelligence across the Nordics.
Field names and index structures matched internal tags used in Risika’s products. Researchers found “dwh” (data warehouse) markers throughout. But the leak doesn’t appear to have come from Risika directly.
Instead, all signs point to a third-party operator, likely a client. The data may have been shared under a commercial license, then mishandled. Misconfigured. Left wide open.
Cybernews sent a disclosure notice to Risika on 10 May. The server went offline the next day. Risika hasn’t responded publicly.
“The Genie Can’t Be Put Back”
Ben Hutchison, associate principal consultant at Black Duck, said the damage can’t easily be undone.
“Once such information is exposed, the genie can’t really be put back in the bottle,” he said. The breach includes “individuals’ PII, including personal and financial history.” That kind of data doesn’t expire. And it can’t be changed.
Hutchison warned that affected individuals should expect identity theft, targeted scams, and service-level impersonation. Not just phishing emails. Attackers may pose as the victim to banks or insurers, using real details to get past verification.
Entities, he said, must stop thinking of security as a local problem.
“Organizations handling sensitive data need to ensure they are taking steps to protect it throughout its lifecycle,” he said. “Not only in their own estate.”
That means vetting third parties, enforcing controls, setting access limits, and building contracts that demand more than trust.
He added that breaches like this carry regulatory risk, financial penalties, and long shadows. “No organization wants to find itself in that situation,” he said. “Proactive control now avoids expensive problems later.”
What Happens Next?
The data is no longer online. But for many, it’s already too late. Copies could exist. Details may have been scraped. The exposure ran deep and wide.
And this wasn’t a sloppy marketing list. This was high-grade intelligence. The kind companies sell, and attackers steal.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.