Zero One Security

Cases

Five Norwegian Cases

What the public record supports, and what it does not

By Zero One Labs

June 2026

The Loss Is Already Counted

Deception is not a future risk in Norway. It is a measured cost. Finanstilsynet, the financial regulator, reported losses from social engineering of NOK 360 million in the first half of 2024,1 and NOK 307 million in the second half.2 Taken together, that is NOK 667 million in a single year, the sum of two published half-year figures.

It is a national figure across the financial system, not a statistic about any one firm or profession, and it does not claim that every loss began with a stolen password. Attacks built on deception are already taking very large sums out of Norwegian organizations, every year.

NOK 667 million in a single year. The sum of two published figures, not an estimate.

When the Regulator Looked at the Login

The clearest Norwegian example is not a breach story. It is a regulator's decision. After the Storting, the national parliament, was breached in 2020, Datatilsynet imposed an administrative fine of NOK 2 million.3 The reason matters more than the amount. In its 2022 decision, Datatilsynet was explicit about the control that had failed, emphasizing that the Storting "did not have two-factor authentication or equivalent effective security measures."3 The breach ran through email accounts, and that gap is what left them open.

This is the regulator's own published decision, tied to a named institution and a defined sanction. The lesson is narrow. Weak authentication can become a sanctionable deficiency. It does not follow that every organization without modern authentication faces the same fine. It does follow that, in the right facts, the quality of a login is a governance question and not only an IT one.

What Failure Costs

Two Norwegian cases show the range of what a serious incident can cost. At the large end, Norsk Hydro has said its 2019 cyberattack led to total costs of around NOK 800 million.4 At a smaller and more ordinary scale, Teknisk Ukeblad reported that an attack on AKVA group cost about NOK 49.7 million, in 2021.5

In neither case does the public record cleanly establish that stolen credentials were the way in. The Hydro attack, a LockerGoga ransomware infection documented at the time by Recorded Future6 and Industrial Cyber,7 has never had its initial access path settled in public. So these are not proof that a password failure caused the damage. They are proof of something else. Norwegian cyber incidents can become very expensive, at both the head-turning scale and the quietly realistic one. When the downside is that large, closing the common and well-understood attack paths is simply rational.

The Trusted Email

The Nordic Choice Hotels incident points at a different surface. The hotel group was hit by Conti ransomware, as reported by CyberEnso,8 and a Visma case study describes how it began: an employee opened an attachment that appeared to come from a trusted partner.9

There is no high-confidence public figure for the loss, and this is not a clean public example of stolen credentials used to take over an account. The value of the case is narrower. It shows how easily an ordinary, trusted business workflow can be turned into a way in, even at a large and capable company. Identity protection has to sit inside a wider guard against deception, not stand alone as a single fix.

What These Cases Support, and What They Do Not

Each case carries a single point. The Storting decision shows that weak authentication can become a regulatory problem. The Finanstilsynet figures show that deception-driven loss in Norway is already very large. Hydro and AKVA group show the cost of a serious incident. Nordic Choice shows that trusted communication remains a practical way in.

What they do not support is the easy claim that every major incident began with a stolen password and would have been stopped by one piece of technology. The public evidence does not show that. Phishing-resistant authentication removes one important and common class of failure from an environment where identity, email, and trust sit at the center.

It removes one important class of failure. It does not pretend to remove them all.

The Stronger Control

Not all multi-factor authentication is equal. NSM, the national security authority, draws a line between phishing-resistant multi-factor authentication and weaker forms, and recommends the stronger category against phishing and account takeover.10 That distinction is the whole point. The phishing-resistant kind is the one that holds when someone is actively trying to trick a person.

The practical case is better than many firms expect. Microsoft has reported that passkey sign-ins are "eight times faster than a password and multifactor authentication,"11 which means the stronger method can also be the easier one. And Norwegians are not being asked to adopt something foreign. The FIDO Alliance describes BankID, used by about 4.7 million people, roughly 97 percent of the country, as part of the same move toward passkey-based authentication.12

Sources

Every figure and quotation above is tied to a named public source, listed here so any claim can be checked.

  1. Finanstilsynet. Svindelstatistikk første halvår 2024. 18 November 2024. https://www.finanstilsynet.no/publikasjoner-og-analyser/svindel-og-svindelstatistikk/2024/h1/svindelstatistikk-forste-halvar-2024/
  2. Finanstilsynet. Svindelstatistikk andre halvår 2024. 14 May 2025. https://www.finanstilsynet.no/publikasjoner-og-analyser/svindel-og-svindelstatistikk/2024/h2/svindelstatistikk-andre-halvar-2024
  3. Datatilsynet. Overtredelsesgebyr til Stortinget. 27 June 2022. https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2022/overtredelsesgebyr-til-stortinget/
  4. Hydro. Cyber-attack on Hydro. https://www.hydro.com/en/global/media/on-the-agenda/cyber-attack/
  5. Teknisk Ukeblad. Cyberangrep kostet Akva Group nær 50 millioner kroner. 6 May 2021. https://www.tu.no/artikler/cyberangrep-kostet-akva-group-naer-50-millioner-kroner/509982
  6. Recorded Future. LockerGoga Ransomware Disrupts Operations at Norwegian Aluminium Manufacturer Norsk Hydro. 19 March 2019. https://www.recordedfuture.com/blog/lockergoga-ransomware-insight
  7. Industrial Cyber. The Norsk Hydro Attack. 23 March 2019. https://industrialcyber.co/features/the-norsk-hydro-attack/
  8. CyberEnso. Nordic Choice Hotels IT systems impacted by Conti ransomware. 1 February 2022. https://cyberenso.jp/en/nordic-choice-hotels-it-systems-impacted-by-conti-ransomware/
  9. Visma. Case study: Ransomware attack against Nordic Choice Hotels. https://www.visma.com/blog/case-study-ransomware-attack-against-nordic-choice-hotels/
  10. Nasjonal sikkerhetsmyndighet (NSM). Flerfaktorautentisering. Thematic report. https://nsm.no/getfile.php/1314181-1734004986/NSM/Filer/Dokumenter/Rapporter/NSM%20Flerfaktorautentisering%20temarapport.pdf
  11. Microsoft. Pushing passkeys forward: Microsoft's latest updates for simpler, safer sign-ins. 30 April 2025. https://www.microsoft.com/en-us/security/blog/2025/05/01/pushing-passkeys-forward-microsofts-latest-updates-for-simpler-safer-sign-ins/
  12. FIDO Alliance. How BankID Norway Unifies Passkeys and Biometric Liveness. 9 March 2026. https://fidoalliance.org/fido-webinar-the-spectrum-of-authentication-how-bankid-norway-unifies-passkeys-biometric-liveness/

Zero One Security, Cases. Published by Zero One Labs. Set in Family and Söhne. Copyright Zero One Labs, 2026.

← All Issues