On 9 January 2021, Østre Toten municipality woke up to discover that its entire digital infrastructure had been destroyed overnight. An international hacker group known as PYSA had breached the municipality's firewall, encrypted all data on every server, and deleted all backup files. In one night, 1,300 municipal employees lost access to every system they depended on.
The municipality had no way to recover. Email was gone. Patient records in the care services were gone. Building applications, tax records, internal communications, all of it locked behind encryption keys that only the hackers held. Staff in the health service, schools, and administration had to switch to pen and paper. Nurses wrote patient notes by hand. Teachers managed without digital tools. Administrative staff dug out physical archives that had not been touched in years.
The situation got worse. On 31 March, the hackers published stolen data on the dark web. Approximately 30,000 documents containing personal information about the municipality's residents appeared online, including sensitive health records and social service files. The municipality could do nothing to stop the spread.
The aftermath was brutal. Around 1,000 computers had to be wiped and rebuilt from scratch. The total cost reached approximately 35 million kroner. Datatilsynet, Norway's data protection authority, investigated and found that the municipality had failed on multiple fronts: no two-factor authentication, inadequate logging, poor backup procedures, and a weak security culture. The fine was 4 million kroner, with the authority noting that the failures amounted to gross negligence.
The attack on Østre Toten remains the worst cyberattack against any Norwegian municipality. It became a national cautionary tale about how a small rural municipality's IT systems can be just as vulnerable as any large corporation, and how devastating the consequences can be when the basics of cybersecurity are neglected.
The municipality had no way to recover. Email was gone. Patient records in the care services were gone. Building applications, tax records, internal communications, all of it locked behind encryption keys that only the hackers held. Staff in the health service, schools, and administration had to switch to pen and paper. Nurses wrote patient notes by hand. Teachers managed without digital tools. Administrative staff dug out physical archives that had not been touched in years.
The situation got worse. On 31 March, the hackers published stolen data on the dark web. Approximately 30,000 documents containing personal information about the municipality's residents appeared online, including sensitive health records and social service files. The municipality could do nothing to stop the spread.
The aftermath was brutal. Around 1,000 computers had to be wiped and rebuilt from scratch. The total cost reached approximately 35 million kroner. Datatilsynet, Norway's data protection authority, investigated and found that the municipality had failed on multiple fronts: no two-factor authentication, inadequate logging, poor backup procedures, and a weak security culture. The fine was 4 million kroner, with the authority noting that the failures amounted to gross negligence.
The attack on Østre Toten remains the worst cyberattack against any Norwegian municipality. It became a national cautionary tale about how a small rural municipality's IT systems can be just as vulnerable as any large corporation, and how devastating the consequences can be when the basics of cybersecurity are neglected.
