Robin Lardot (left) and Marko Leponen (right) of the National Bureau of Investigation (KRP) on Sunday held a press conference to shed light on the hacking of Psychotherapy Centre Vastaamo. (Heikki Saukkomaa – Lehtikuva)


THE NATIONAL BUREAU of Investigation (KRP) and Psychotherapy Centre Vastaamo have provided more information on a newly detected malicious hacking that is believed to have compromised sensitive data on tens of thousands of psychotherapy clients in Finland.

Vastaamo on Saturday told that the data may have been compromised in “at least two separate hackings” between late 2018 and early 2019.

“The current understanding is that our client register was targeted in a hacking in November 2018. As a consequence of the hacking, there has been a leak of confidential information on our clients leading up to late November 2018,” it stated in a press release.

“It is likely that our system was infiltrated also between November 2018 and March 2019. We are not aware of the database being hacked in connection with this incident, but it is possible that individual details have been accessed and copied.”

Read more:

The first tranche of what is believed to be data on tens of thousands of psychotherapy clients was released by the presumed hacker on Wednesday, 21 October. The perpetrator, whose country of residence and present location remain unknown, is threatening to continue to release the information at a rate of 100 clients per day until the service provider has paid them 450,000 euros in bitcoins.

The psychotherapy service provider filed a request for inquiry about the hacking and blackmailing on 29 September. The perpetrator is presently suspected of aggravated computer break-in, aggravated extortion and aggravated dissemination of information violating personal privacy.

Tuomas Kahri, the board chairperson at Vastaamo, told STT the company delayed informing its clients about the hacking per instructions from the police.

“The police have asked us to limit communications and sharing of information about the issue, as well as imposed reporting restriction on us, citing operational reasons,” he explained to the news agency.

Vastaamo has been sending e-mails to its clients to inform them about the hacking since Thursday. Although said the leaked data does not contain credit card details, the nature of the data is such that “the probable consequences can vary substantially depending on the person in question,” the e-mails read according to Helsingin Sanomat.

Victims blackmailed

Several of the victims received messages linked to the hacking late on Saturday, demanding a payment of 200–500 euros in bitcoins within 24 hours in exchange for permanently deleting their information. The messages indicated that because the service provider has refused to accept responsibility for its mistakes, the victims themselves have to pay to protect their personal information.

It has yet been confirmed whether the hacker is also behind the blackmail messages.

“People must not give in to the demands made in the blackmail message,” underlined Marko Leponen, a detective chief inspector at KRP.

KRP instead instructed the recipients to file an electronic request for inquiry with their local police department, making sure to accurately enter all key information, ranging from the sender to time of receipt. The recipients were also instructed to refrain from deleting the e-mails, other types of messages or any possible pieces of evidence.

Vastaamo has offered the victims of the hacking and blackmailing the opportunity to discuss the issue with a therapist through its crisis hotline.

Robin Lardot, the director at KRP, on Sunday said the investigators do not yet know the exact number of clients whose data has been compromised, but the current assumption is that the illicitly obtained data contains information on tens of thousands of clients.

Thousands of requests for inquiry have already been filed in connection with the hacking, the investigators revealed on Sunday.

Aleksi Teivainen – HT