Altogether, the hackers accessed the numbers of over 100,000 payment cards from the poorly secured system of a Helsinki business. Of those, about 10,000 also included all card data. Since the system break-in, the business has replaced its system.
Police have declined to identify the business or what sector it operates in.
Hackers accessed the old system on several different occasions in January.
"Card information covering several years was stored on a server. The security breach, which originated abroad, targeted this server and they were able to download large amounts of data," says Inspector Jukkapekka Risu.
"The data accessed concerns all types of cards. The cards themselves were not compromised, but information about transactions in which the cards were used came into the hands of the hackers because of deficiencies in the storage system," explains Henry Kylänlahti of the card payment company Luottokunta.
Luottokunta discovered the breach in January during a routine security check. So far, there is no indication of widespread exploitation of the data gathered by the hackers.
Copies have been made of a few individual cards that have subsequently been used in various parts of the world. Cardholders are not financially responsible for this criminal misuse.
On the basis of computer logs, hackers accessed the system from abroad, with IP addresses pointing to the US and Romania.
"The actual location could be anywhere," admits Inspector Risu.
If the card details have been compromised, card issuers will contact the cardholder about cancellation and replacement.
The case under investigation is the most extensive of its kind ever in Finland. Up to now similar cases have involved no more than a few hundred cards.