The City of Helsinki says it is unsure about who carried out a major data breach of databases belonging to its educational and training departments, the City announced on Monday.
Matias Mesilä, a data security expert from Traficom's National Cyber Security Centre characterised the breach as "possibly the largest data breach affecting [Finland's] municipal sector".
As of Monday, nothing was known about the perpetrator other than that the breach was carried out from outside Finland.
In a press release issued on Monday afternoon, City Manager Jukka-Pekka Ujula apologised for the situation and explained the scope of the breach.
"The data breach in question is very serious and its potential consequences for our clients and personnel are very unfortunate. We are sorry about this. Taking into account the number of users of the city's services now and in previous years, in the worst case, the data leak affects more than 80,000 [pupils] and their guardians. In terms of personnel, the data breach affects all of our staff because the perpetrator obtained the e-mail addresses and user IDs of the entire personnel," Ujula said.
The hacker also gained access to the information of around 38,000 City employees.
The City's Chief Digital Officer, Hannu Heikkinen, has previously said that the perpetrator of the breach gained access to databases using city employee usernames, adding that the network was shut down after the breach was detected.
"More detailed investigations have shown that the perpetrator of the data breach obtained the usernames and email addresses of all city employees, as well as the personal IDs and address details of educators, guardians and personnel in the education and training departments," Heikkinen said in the City's press release.
Tens of millions of documents
The City said that most of the data on the breached network — which includes tens of millions of documents — were files that did not contain personal data or contained a level of personal information that did not pose a high risk if misused.
However, it noted that the documents obtained in the breach included files containing confidential information or sensitive personal data.
Such files included information on parents' early childhood education fees and their payment, sensitive data regarding childrens' situations at schools — such as information about their special support requirements, medical reports in regard to middle school pupils' suspensions, as well as details about educators' and training staff sick leave, for example.
"The amount of information that needs to be clarified is huge. Unfortunately, we cannot yet assess with certainty which information reached the perpetrator of the data breach. However, we will now tell you what risks exist so that the customers and staff of education and training services can prepare for the situation. This is the method of operation in accordance with [Finland's] data protection legislation," said Satu Järvenkallas, Helsinki's education division executive director.
Patch available but not installed
The City's chief digital officer Heikkinen noted that the perpetrator of the breach used a security vulnerability to access the data via a remote server and also acknowledged that there was a software patch available to prevent such an attack but was not installed at the time.
The City said it would continue to investigate the incident and cooperate with authorities. The Helsinki Police Department is investigating the incident as a serious data breach case.
"There has been a patch for this vulnerability, but it is currently unknown why the patch was not installed on the server. The controls and operating methods related to the maintenance of data security updates and devices have been inadequate. After the data breach, we have taken measures to ensure that a similar breach is no longer possible," Heikkinen said in the release on Monday.
The City has advised victims of the data breach who need support to turn to its customer service portal as well as Mieli Mental Health Finland for crisis assistance.