Matias Mesiä, a data security expert at the Finnish Transport and Communications Agency (Traficom), spoke at a press conference concerning a data breach at the City of Helsinki on Monday, 13 May 2024. Mesiä described the breach as possibly the largest ever in the municipal sector, with estimates suggesting some 120,000 people may have been affected. (Antti Aimo-Koivisto – Lehtikuva)


THE CITY OF HELSINKI on Monday reported that data on up to 120,000 learners, guardians and personnel has ended up in the wrong hands as a consequence of the data breach detected in its childhood and education division on 30 April.

The data consist of the usernames and e-mail addresses of all nearly 40,000 city personnel, as well as the addresses and personal identity codes of roughly 80,000 learners, parents and staff members.

“Additionally, the perpetrator has gained access to content on network drives belonging to the education division,” Hannu Heikkinen, the chief digital officer at the City of Helsinki, stated on Monday.

The network drives hold tens of millions of documents – mostly documents that no not pose a particularly high risk of misuse, according to the City of Helsinki. They also hold documents containing classified or sensitive personal information, such as information on customer fees for early-childhood education, student welfare-related information requests, details of special needs assessments, medical statements on the suspension of upper secondary studies and sick leave records of personnel at the division.

It is also possible that the perpetrator has accessed data on persons under a non-disclosure restriction.

“Unfortunately, we are currently unable to provide an accurate assessment of what data the perpetrator may have accessed. What we can tell you about at this time are the possible risks, so that personnel and customers of the education division can prepare for them,” said Satu Järvenkallas, the executive director of the childhood and education division at the City of Helsinki.

“This is a very serious data breach, with possible, unfortunate consequences for our customers and personnel,” added Jukka-Pekka Ujula, a city manager at the City of Helsinki.

Ujula on Monday revealed at a news conference that the breach originated abroad but that the identity of the perpetrator remains a mystery.

The perpetrator is believed to have accessed the intranet of the childhood and education division by exploiting a vulnerability in a remote access server. Heikkinen on Monday stated that a hotfix patch had been made available to address the vulnerability but that it had yet to be implemented at the division for reasons that remain unknown.

“Our security update and device maintenance controls and procedures have been insufficient,” he conceded.

The breach is believed to have taken place in the early hours of 30 April, according to a press release from Helsinki Police Department. The City of Helsinki became aware of it following the detection of “suspicious traffic” on its intranet on the same day. Heikkinen told Helsingin Sanomat on 1 May that the suspicious traffic possibly originated in Russia.

Both police and the data security ombudsman have opened an inquiry into the data breach, with police investigating it as aggravated computer break-in.

“The City of Helsinki is presently the victim of the crime, and it will provide all the information the police need for their pre-trial investigation. Citizens need not contact the police,” Heikki Kopperoinen, a deputy chief of police at Helsinki Police Department, stated on Monday.

Matias Mesiä, a data security expert at the Finnish Transport and Communications Agency (Traficom), stated at the press conference that the data breach is unusual in terms of the number of people it potentially concerns.

“This was possibly the largest data leak in the municipal sector,” he highlighted.

Such data breaches, he added, are regularly associated with crime and motivated by financial benefit, meaning there is a possibility that the data are used to attempt to extort the victims.

“Hackers steal data and occasionally they use them for extortion,” said Mesiä.

Mayor of Helsinki Juhana Vartiainen (NCP) on Monday expressed his regret about the data breach on X, assuring that the city has taken action to prevent similar incidents in future. He also promised a thorough investigation into the root cause of the breach.

“The data breach is currently a priority for the city’s senior management,” he said.

Aleksi Teivainen – HT