Major data breach affects Helsinki City´s thousands pupils, staff

The City of Helsinki recently issued a notice of a data breach targeted at its Education Division, said the City in a press conference on Monday.

Most of the data on the network drive (tens of millions of files) are documents that do not contain personally identifying information or only contain ordinary personal information, the opportunity for abuse of which is not considered to be significant.

However, some of the documents among those files included confidential information or sensitive personal information.

On 2 May, the City of Helsinki issued a notice of a data breach, which took place on April 30 and launched an extensive investigation into the incident.

The City authority took various security measures and notified the Data Protection Ombudsman, the Police, and Traficom’s National Cyber Security Centre in this regard.

“We previously announced that the party behind the data breach has gained access to student and personnel usernames and email addresses. Further investigation has shown that the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division. Additionally, the perpetrator has also gained access to content on network drives belonging to the Education Division,” said the City of Helsinki’s Chief Digital Officer Hannu Heikkinen.

The files included information about fees (and the grounds thereof) for customers of early childhood education and care, sensitive information about the status of children, such as information requests by student welfare or information about the need of special support and medical certificates regarding the suspension of studies for upper secondary students, as well as the sick leave records of Education Division personnel.

“We cannot rule out the possibility of the perpetrator gaining access to data of persons under a non-disclosure restriction,” he said.

“The volume of data under investigation is significant. Unfortunately, we are currently unable to provide an accurate assessment of what data the perpetrator may have accessed. What we can tell you about at this time are the possible risks, so that personnel and customers of the Education Division can prepare for them. This procedure is in line with data protection law,” said Satu Järvenkallas, Executive Director of the Education Division.

Some customer and personnel data may be from years ago, which means that even, if a particular person is not currently a customer or a member of staff at the Education Division, the perpetrator may have accessed their data.

The breach of the Education Division network took place through a vulnerability in a remote access server. The server had a vulnerability which the culprit was able to exploit to connect to the Education Division network.

“A hotfix patch has been available to eliminate this vulnerability, but it is not currently known why this hotfix was not installed on the server. Our security update and device maintenance controls and procedures have been insufficient. After the breach, we have taken measures to ensure that a similar breach is no longer possible,” said Heikkinen.

The City has not discovered evidence that the perpetrator would have accessed the networks or data of other divisions. However, the City is monitoring all of its networks closely.

“This is a very serious data breach, with possible, unfortunate consequences for our customers and personnel. We regret this situation deeply. Considering the number of users in the city’s services now and in previous years, in the worst case, this data breach affects over 80,000 students and their guardians. The breach also affects all of our personnel, as the perpetrator gained access to all personnel usernames and email addresses,” said City Manager Jukka-Pekka Ujula.

“Reaction to the data breach has been quick and all the necessary resources are being and will be used on protective measures. This is the highest priority for the city´s senior management,” Ujula added.

This data breach will certainly raise many questions among the customers and personnel of the said the City.

Meanwhile, the police are currently investigating the case as an aggravated computer break-in, said police in a press release on Monday.

The extent and impact of the data breach are being investigated in cooperation with the City of Helsinki.

“The victim of the crime is currently the City of Helsinki, from which the police will receive all necessary information for the investigation of the case. City residents do not need to contact the police”, said the Deputy Police Commissioner Heikki Kopperoinen.