The City of Helsinki’s logo outside the Helsinki Cathedral on 16 June 2023. The city communicated last week that hundreds of thousands may have been affected by the data breach it detected on 30 April. (Jussi Nukari – Lehtikuva)


THE CITY of Helsinki has reported that the data breach it detected at the end of last month appears to be larger than initially expected, with the perpetrator possibly gaining access to all people of compulsory-school age in the city.

The Finnish capital announced last week that the breach possibly concerns roughly 150,000 pupils, their guardians and all of its roughly 38,000 employees.

The perpetrator breached a network drive that contained the following information on all children born in 2005–2018: personal identity numbers of both the children and their guardians, street addresses of both the children and their guardians, the nationality and mother tongue of the children, and the religious community of the children.

Helsinki pointed out that it stores information on compulsory-age children and their parents in order to fulfil its duty to monitor enrolment and performance in primary schools.

It also conceded that the breach could extend beyond its own early-childhood education units, schools and other educational institutions, to private daycare centres, contractual schools, private and state-run schools, and private upper-secondary and vocational schools. In addition to data on customers of the daycare centre, school and playground in Santahamina, the perpetrator may have accessed the access permits of visitors to said units, possibly including passport numbers for families of foreign backgrounds.

The breach is being investigated as aggravated computer break-in by Helsinki Police Department and the National Bureau of Investigation (KRP).

Jouni Isoaho, a professor of communication and cybersecurity engineering at the University of Turku, stated to Helsingin Sanomat last Tuesday that the breach could even pose a threat to national security.

“It does at least increase the risk,” he viewed.

The breach is exceptional in the context of Finland, according to Isoaho. The breach is believed to concern a significantly higher number of people than the roughly 33,000 who were affected by the hacking of Psychotherapy Centre Vastaamo.

“The scale is big because a big organisation was hit. If you think about organisations in Finland, how many are there that are bigger than the City of Helsinki?” he asked.

Isoaho viewed that the city deserves blame for its communication approach and level of data security, despite some improvements in the former.

“Data administration has been wrong also in the past, and it’s wanted to create some level of credibility through communication. I’d be looking in the mirror for a while,” he stated to Helsingin Sanomat.

He said he has long been concerned about the tendency of organisations to transfer vast amounts of data into a single repository – and do so as poorly as possible. When a perpetrator gains access to a data storage such as a network drive, he reminded, they inevitably gain access to its entire contents.

One of the fundamentals of cybersecurity is that there is no absolute security. “It’s always possible to break in. If you can work a little to score a big win, someone is very likely to do that,” said Isoaho.

He encouraged organisations to improve their data administration by cleaning up data as soon as they become unnecessary, to recognise not only external but also internal threats, such as curious employees, and to learn from previous data breaches. “You should set a best-before date for data. Data shouldn't be stored after you no longer need it.”

Ultimately, many large-scale breaches are made possible by servers that are not up to date. Also Helsinki previously admitted that a hotfix had been made available but not installed to patch up the vulnerability exploited by the perpetrator.

“People never seem to learn [how important updates are] because they take time. Many updates are about patching up vulnerabilities,” he reminded.

Aleksi Teivainen – HT