Sweden Reports Record Personal Data Breaches in 2025 as IMY Links Surge to Major Darknet Leaks

Key Takeaways

• Record Breach Volume: IMY received 12,276 personal data breach notifications in 2025, the highest annual total since GDPR took effect in 2018.
• Sharp Year-Over-Year Increase: Breach reports rose by nearly 90 percent compared to 2024, previously the peak year.
• Darknet Exposure Impact: Major breaches at service providers led to widespread publication of personal data, largely affecting children, following blackmail attempts.
• Caseload Pressure: Total cases handled by IMY increased 56 percent due to the combined surge in breach reports and individual complaints.
• Expanded Guidance and AI Focus: IMY broadened its regulatory sandbox, strengthened AI-related guidance, and established a dedicated guidance unit effective January 1, 2026.

Deep Dive

It was a record-breaking year for data breaches in Sweden and not the kind anyone wants to celebrate. The Swedish Data Protection Authority, known as IMY, reported that 12,276 personal data breach notifications were filed in 2025, the highest number recorded since the General Data Protection Regulation (GDPR) came into force in 2018.

The figure represents an almost 90 percent increase compared to 2024, which had previously held the record. Behind the spike were several major breaches at companies that provide services to large numbers of data controllers. In those cases, blackmail attempts were followed by the publication of personal data on the Darknet. The exposed information concerned a large portion of Sweden’s population, largely children.

For Eric Leijonram, Director General of IMY, the scale of the leaks is serious, but not automatically evidence of regulatory failure.

“Large leaks of personal data do not necessarily mean that the business has violated GDPR, but if you comply with GDPR, the risk of being affected by such leaks is reduced. Good data protection strengthens society's resilience,” Leijonram said.

A System Under Strain

The increase in breach reports did not occur in isolation. Complaints from individuals also rose sharply, pushing the total number of cases received by IMY up by 56 percent compared to the previous year.

That surge forced the authority to implement special focus efforts to manage volumes.

Supervision remains central to IMY’s mandate. In 2025, the agency prioritized closing older supervision cases, refining its supervisory processes, and advancing complaint-driven investigations. Several of the authority’s self-initiated supervisions were directly tied to the large-scale breaches that defined the year.

The numbers tell one story (rising incident volumes, expanding caseloads) but they also reflect a bigger reality. As organizations become more interconnected and rely on shared service providers, a single breach can ripple outward, affecting thousands of controllers and millions of individuals at once.

Guidance Expands Alongside Enforcement

At the same time, IMY leaned into guidance. The authority expanded its regulatory sandbox, offering in-depth support to innovation projects grappling with data protection questions tied to AI and other emerging technologies. More projects than ever before sought assistance.

Public outreach also grew. Participation in IMY’s webinars increased significantly, and its IMY Play service, which offers educational videos on GDPR and camera surveillance, saw what the agency described as a breakthrough year.

Structural changes followed. During 2025, IMY prepared a new organization of its operational activities, and on January 1, 2026, a dedicated guidance unit was formally established.

Beyond Sweden’s borders, IMY remained active within the European Data Protection Board. In 2025, the authority served as lead rapporteur on guidelines addressing data protection in research, web scraping for AI training, and penalty fees.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.