City of Helsinki suffered a data breach

The City of Helsinki suffered a data breach that impacted tens of thousands of students, guardians, and personnel.

The Police of Finland is investigating a data breach suffered by the City of Helsinki, the security breach occurred during the night of 30 April 2024.

The data breach impacted the City’s Education Division’s computer network. The City of Helsinki reported the incident to the police and the investigation is still ongoing to determine the extent and impact of the incident.

“The volume of data under investigation is significant. Unfortunately, we are currently unable to provide an accurate assessment of what data the perpetrator may have accessed. What we can tell you about at this time are the possible risks, so that personnel and customers of the Education Division can prepare for them. This procedure is in line with data protection law,” says Satu Järvenkallas, Executive Director of the Education Division.

“The victim of the crime is currently the City of Helsinki, from which the police will receive all necessary information for the investigation of the case. City residents do not need to contact the police”, said the Deputy Police Commissioner Heikki Kopperoinen. 

The City already implemented various security measures in response to the security breach. 

“We previously announced that the party behind the data breach has gained access to student and personnel usernames and email addresses. Further investigation has shown that the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division. Additionally, the perpetrator has also gained access to content on network drives belonging to the Education Division,” says the City of Helsinki’s Chief Digital Officer Hannu Heikkinen.

The incident exposed tens of millions of files, most of them contain ordinary personal information, but the City believes that the opportunity for abuse of this information is minor. However, some of the compromised documents include confidential information or sensitive personal information.  

“These include information about fees (and the grounds thereof) for customers of early childhood education and care, sensitive information about the status of children, such as information requests by student welfare or information about the need of special support and medical certificates regarding the suspension of studies for upper secondary students, as well as the sick leave records of Education Division personnel.” reads the statement published by the City of Helsinki. “We cannot rule out the possibility of the perpetrator gaining access to data of persons under a non-disclosure restriction.”  

The data in the incident include information dating back several years, potentially compromising individuals who were not current customers or staff members of the Education Division.

According to the announcement, threat actors exploited a vulnerability in the Education Division network server to remotely access it. Although a patch to fix this vulnerability was available, it was not installed on the server for unknown reasons. Hannu Heikkinen stated that their security controls and procedures were inadequate, but measures have been implemented to prevent a similar breach in the future. No evidence suggests that the threat actors accessed networks or data from other divisions, but all City of Helsinki networks are being closely monitored.

“This is a very serious data breach, with possible, unfortunate consequences for our customers and personnel. We regret this situation deeply. Considering the number of users in the city’s services now and in previous years, in the worst case, this data breach affects over 80,000 students and their guardians. The breach also affects all of our personnel, as the perpetrator gained access to all personnel usernames and email addresses,” says City Manager Jukka-Pekka Ujula. “Reaction to the data breach has been quick and all the necessary resources are being and will be used on protective measures. This is the highest priority for the city´s senior management,” Ujula continues.  

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)