Skip to content
Data & Signals

Latvia’s LVM cyberattack is no longer just a company incident

Around 7,000 reportedly stolen employee passwords, deleted backups, a possible personal data breach and a state-owned company linked to election-system development: the cyberattack on Latvijas valsts meži (LVM) has moved beyond a normal company-level IT incident.

Latvia’s LVM cyberattack is no longer just a company incident

Around 7,000 reportedly stolen employee passwords, deleted backups, a possible personal data breach and a state-owned company linked to election-system development: the cyberattack on Latvijas valsts meži (LVM) has moved beyond a normal company-level IT incident.

LVM informed clients and cooperation partners that third parties may have gained unauthorised access to personal data stored in its systems. The potentially affected data include names, surnames, personal identity numbers, contact information and other data linked to services or cooperation with the company.

[DATA CARD 1: LVM cyberattack — key numbers]
22 June — incident detected
26 June — personal data breach notice
~7,000 — employee passwords reportedly stolen
LVM GEO — reported entry point
Backups — reportedly deleted

From service disruption to state resilience

According to LTV/LSM, cybersecurity expert Elviss Strazdiņš said the attacker first used an old vulnerability in LVM GEO, where one server had reportedly remained on an outdated version. The attacker reportedly stole around 7,000 employee passwords, left malware on servers, encrypted data and deleted backups.

CERT.LV has said responsibility for the attack was claimed by a foreign financially motivated ransomware group. This makes the case different from a normal outage: if backups and internal access structures were affected, recovery is not only about switching systems back on, but about rebuilding trust in the infrastructure.

Why the election link must be handled carefully

There is no public evidence that election infrastructure, defence procurement or state secrets were compromised in the LVM incident.

But LVM is not just another state-owned company. It manages strategic land and forestry assets, operates geospatial systems, works with many partners and has also been named as one of three companies involved in developing the digital system for this year’s Saeima elections. LVM says the election-system development environment was separated and was not affected, but will be checked for security reasons.

That is why the election link should not be framed as a claim of compromise. It is a trust issue: if a company involved in election-system development suffers a major cyberattack, the public question becomes how clearly sensitive digital environments are separated, audited and verified.

Latvia had warning signs before LVM

The LVM case follows other recent warning signs around Latvia’s state IT environment.

In the CSDD vulnerability case, the courts had to revisit a case involving alleged extortion linked to a security hole in the Road Traffic Safety Directorate’s system. The case raised a broader question: whether Latvia has a safe and credible channel for vulnerability reporting before weaknesses turn into criminal investigations or public scandals.

In March, the European Public Prosecutor’s Office reported 20 suspects, including public officials, in a case involving suspected fraud in public procurement for IT systems acquired by state institutions. Latvian police reported 21 arrests. LSM later wrote that the work of the State Digital Development Agency would be audited; around €48 million in ICT investments had gone through the agency over three years.

[DATA CARD 2: Recent Latvia state IT warning signs]
CSDD — vulnerability case returned to court
€5,750 — fine previously imposed in CSDD case
€3,459 — damages previously ordered for CSDD
20 / 21 — EPPO suspects / Latvian police arrests
€1.5m — suspected IT procurement fraud
€48m — ICT investments via VDAA over three years

One resilience system, not separate files

The LVM cyberattack does not prove a direct link between vulnerability reporting, procurement fraud, election IT and ransomware. It does something narrower, but still important: it shows that Latvia lacks a clear public answer to whether state IT risks are audited as one system rather than as separate procurement, cybersecurity and service-continuity files.

Procurement, contractor access, password management, software updates, backups and network segmentation may look like separate administrative files. In a real cyberattack, they become one resilience system.

After the CSDD vulnerability case and the March IT-procurement scandal, the central question is no longer whether Latvia had warning signs. It did. The question is whether those warning signs led to a broad enough audit of access rights, contractors, outdated software, backup infrastructure and state digital segmentation before the next incident arrived.