A brief history of data breaches in Finland from Vastaamo to City of Helsinki

Data breaches have been a hot topic in Finland recently, with the data breach suffered by the City of Helsinki on April 30th being the largest in Finland’s history according to current information. Additionally, the Vastaamo case, previously the largest data breach in Finland, received its first court ruling from the District Court of Western Uusimaa on the same day as the City of Helsinki breach. It is evident that in an increasingly digital world, the volume of cybercrime is rising. The fact that two of the largest data breaches in Finland occurred so close to each other is certainly noteworthy. The timing of these breaches suggests a pattern of negligence in the data security field in Finland. The big question is what circumstances create such vulnerabilities, and what can we learn from them to prevent future breaches. As the City of Helsinki data breach is still under investigation, this article will cover only the details of the Vastaamo case.

The Vastaamo case involved the data breach of over 30,000 psychotherapy patients admitted to Vastaamo Psychotherapy Center. ­Cybersecurity-wise, the Vastaamo case was essentially a catastrophe waiting to happen. The baseline protection for the Vastaamo database was virtually non-existent. On top of this, the company was ­revealed to have wildly disregarded their obligations to ensure adequate levels of data protection under the GDPR. According to the court ruling, the patient database was public and accessible by anyone for at least 17 months, from November 2017 to March 2019.

The big question is what circumstances create such vulnerabilities, and what can we learn from them to prevent future breaches.

During this time, access to the database was possible without a password. Additionally, Vastaamo did not become aware of the breach until September 2020, when the attacker made contact with them. This demonstrates that very little was done in terms of ­internal cybersecurity audits, and the non-actions were grossly negligent. The forensic investigation ­revealed that the data breach most likely occurred within a four-minute window. It took just four minutes for what was then the largest data breach in Finland to happen, resulting in 30,000 people losing their sensitive patient histories and other personal data.

Even in light of these major ­deficiencies, it is hard to grasp how much of a disaster the entire case truly was, with the complete lack of cybersecurity measures, audits and procedures being the catalyst for a plethora of problems. Preceding the police investigations, but after the data breach, Vastaamo was sold to a Intera Partners holding company. After the police investigations began, the holding company commenced legal proceedings against Vastaamo on the grounds that the acquisition would not have taken place if they had known about the breach. During the trial, the CEO denied knowing about the breach and even tried to shift the blame from himself to his employees, claiming that the employees withheld the information about the breach. A total of nearly 10 million euros of assets of the then-CEO of Vastaamo were seized as part of the ­legal action. The actual termination of the acquisition was settled through arbitration, resulting in the defendant having to pay 8 million euros in damages to the holding company. The CEO of Vastaamo was charged with three months of probation from a data protection offence. Also, the business of Vastaamo was later sold to another company, and Vastaamo itself ­declared bankrupt.

The magnitude and rapidity of the Vastaamo case could be partly attributed to the centralized information system on which the database was based. Centralized information systems are arguably more susceptible to cybercrime than their decentralized counterparts. As societies become increasingly digital and global data masses increase in volume and speed of flow, it is logical that data breaches will also grow directly proportional to the sizes of databases. Centralized information systems face significant difficulties when dealing with security issues.

The Vastaamo ruling was given solely on the criminal procedure related to the case, as the related civil claims were so massive that they require their own trial. While the civil side of the case is still pending a court date, the criminal ruling is also still unsolved as it has yet to reach force of law due to the defendant expressing his discontent on the District Court judgment. Getting a second ruling from the Court of Appeals may take another few years, and even then, force of law may not yet be achieved, as a possibility for the case to be brought before the Supreme Court of Finland remains. As a landmark case in Finland, the possibility for a Supreme Court ruling is more likely than generally. In any case, it will still be another four to five years before we get a final say on the matter.

In essence, a major shift in attitudes towards cybersecurity and data protection is necessary to prevent large-scale breaches.

The growth of data centrism presents other challenges as well, such as the increasing impact of ­human error. The Vastaamo case was one of negligence, just like the recent case with the City of Helsinki, both resulting from human error. Moreover, the current poli­tical landscape provides fertile ground for foreign cyber operations, evidenced by the palpable ­increase in denial-of-service attacks and other interference. Hackers are also becoming increasingly talented, with younger generations surpassing older ones in efficiency at ­exploiting available technology.

In essence, a major shift in attitudes towards cybersecurity and data protection is necessary to prevent large-scale breaches. It is no longer feasible for organizations to compartmentalize or outsource IT matters with the expectation that cybersecurity can be ensured, fixed, or implemented as a “one-off” ­solution. Proper IT management requires constant attention on both an individual and collective level. Today, cybersecurity is no longer an issue solely for experts but a consideration for everyone.