There’s a follow-up to the Helsinki incident affecting hundreds of thousands of children and adults in 2024. The government has finished its investigation and published its findings and recommendations. From their press release:
The City of Helsinki’s Education Division (KASKO) was targeted by a serious data breach in spring 2024. As a consequence of the data breach, a large amount of data concerning learners and the City’s personnel ended up in the attacker’s hands. The documents on the hacked network drive additionally included data concerning other persons, companies and other partners who had had direct or indirect dealings with the City.”>The City of Helsinki’s Education Division (KASKO) was targeted by a serious data breach in spring 2024. As a consequence of the data breach, a large amount of data concerning learners and the City’s personnel ended up in the attacker’s hands. The documents on the hacked network drive additionally included data concerning other persons, companies and other partners who had had direct or indirect dealings with the City.
The attacker launched the data breach in mid-April 2024 and subsequently started mapping targets on the City’s intranet and expanding their access to different servers. At the end of April, the attacker copied a total of approx. two terabytes of data in four instalments from the network drive. Determining the exact number or contents of the files turned out to be impossible. The investigation concluded by estimating that the attacker gained access to approx. 750,000 documents, some of which contained sensitive personal data.”>The attacker launched the data breach in mid-April 2024 and subsequently started mapping targets on the City’s intranet and expanding their access to different servers. At the end of April, the attacker copied a total of approx. two terabytes of data in four instalments from the network drive. Determining the exact number or contents of the files turned out to be impossible. The investigation concluded by estimating that the attacker gained access to approx. 750,000 documents, some of which contained sensitive personal data.
The perpetrator managed to continue the attack for a long time as there were shortcomings in the organisation’s network monitoring, and the alerts received were not responded to in time. Once it had been confirmed that a data breach was underway, the City of Helsinki immediately launched management measures and repairs, which succeeded in stopping the attack.”>The perpetrator managed to continue the attack for a long time as there were shortcomings in the organisation’s network monitoring, and the alerts received were not responded to in time. Once it had been confirmed that a data breach was underway, the City of Helsinki immediately launched management measures and repairs, which succeeded in stopping the attack.
Two factors made copying a large volume of data possible: the information system was hacked through a VPN remote access server that was not maintained appropriately, and a large volume of data had accumulated on the network drive over several years. Shortcomings in maintenance resulted from personnel turnover and changes in the organisation, as a result of which the division of responsibilities remained ambiguous. Inadequate information management had led to the accumulation of data on the network drive, and compliance with instructions issued for network drive use was not supervised.”>Two factors made copying a large volume of data possible: the information system was hacked through a VPN remote access server that was not maintained appropriately, and a large volume of data had accumulated on the network drive over several years. Shortcomings in maintenance resulted from personnel turnover and changes in the organisation, as a result of which the division of responsibilities remained ambiguous. Inadequate information management had led to the accumulation of data on the network drive, and compliance with instructions issued for network drive use was not supervised.
While a number of acts and provisions apply to information management, awareness of them among practical actors is often low. The legislation and national guidelines are partly obscure and fragmented. The local government sector, in particular, is subject to obligations imposed by several different authorities, which makes them difficult to perceive as a whole.”>While a number of acts and provisions apply to information management, awareness of them among practical actors is often low. The legislation and national guidelines are partly obscure and fragmented. The local government sector, in particular, is subject to obligations imposed by several different authorities, which makes them difficult to perceive as a whole.
As a consequence of the data breach, a large number of documents containing personal data ended up in the attacker’s hands. The data can later be used for harmful purposes, including identity theft and fraud. No indications of such activity were detected during the investigation.”>As a consequence of the data breach, a large number of documents containing personal data ended up in the attacker’s hands. The data can later be used for harmful purposes, including identity theft and fraud. No indications of such activity were detected during the investigation.
The data breach had hundreds of thousands of victims. The investigation found that extensive identification of all victims was a challenge. While the City’s personnel could be reached easily, contacting previous employees and current and previous learners across the board was extremely challenging in practice, and no attempt at it was made.”>The data breach had hundreds of thousands of victims. The investigation found that extensive identification of all victims was a challenge. While the City’s personnel could be reached easily, contacting previous employees and current and previous learners across the board was extremely challenging in practice, and no attempt at it was made.
Four recommendations were issued as a result of the investigation. They are mainly addressed at the Ministry of Finance, which is responsible for implementing them together with the Ministry of Justice, Ministry of Transport and Communications, Finnish National Agency for Education and the Association of Finnish Local and Regional Authorities.”>Four recommendations were issued as a result of the investigation. They are mainly addressed at the Ministry of Finance, which is responsible for implementing them together with the Ministry of Justice, Ministry of Transport and Communications, Finnish National Agency for Education and the Association of Finnish Local and Regional Authorities.
- The Ministry of Finance in cooperation with the Ministry of Justice should ensure that the legislation on information management in public administration is coordinated and that the structures for monitoring and steering it are clarified.
- The Ministry of Finance in cooperation with the Ministry of Transport and Communications should investigate how the detection of information security deficiencies in public administration can be improved nationally and ensure that public actors have sufficient capabilities for detecting and addressing shortcomings in information security.
- The Ministry of Finance in cooperation with the Finnish National Agency for Education should ensure that municipalities and cities develop clear and accessible guidelines for communicating about data breaches, enabling victims to protect themselves from the consequences of data breaches and protect their personal data.
- The Ministry of Finance in cooperation with the Association of Finnish Local and Regional Authorities should support municipalities in identifying and addressing critical information security shortcomings and develop risk management relating to information management and information security.
P2024 Helsinki Investigation report [pdf, 6.7 MB]
h/t, Catalin Cimpanu