The Vastaamo case – Finland’s worst data breach

25 Oct The Vastaamo case – Finland’s worst data breach

Posted at 15:01h in Cyber Security, Privacy and Data Protection by ICTLC Finland

More than 30,000 victims, criminal conviction for CEO

What was Vastaamo’s business?

Vastaamo was a provider of psychotherapy services in Finland. At one time, there was a severe shortage of mental health service providers in the public sector, and Vastaamo, founded in 2008, was an answer to this need. Doctors and hospitals could use Vastaamo as an external service provider for a wide range of mental health issues requiring counselling. Ville Tapio, CEO and founder of Vastaamo, had a background in technology and was personally involved in building the service. His parents owned small minority shares in the company.

The hacks and Vastaamo’s passivity

The first successful attack on the Vastaamo database allegedly took place as early as November 2018. According to the evidence now presented to the court, however, CEO Ville Tapio was absolutely aware of an attack which took place in March 2019. Despite this, nothing was done – the breach was swept under the carpet by Vastaamo.

One reason for the secrecy was that M&A negotiations and due diligence (“DD”) were underway. The owners of Vastaamo wanted to sell their company for about EUR 10 million. While the buyers performed a data security DD, it was superficial. They were too trusting, as in Finland every healthcare provider is subject to strict data security requirements and Vastaamo was approved by the authorities. It has now been revealed that at the time, both of these assessments were mainly “on paper”, meaning that Vastaamo (like any other service provider) simply completed self-assessment documentation and gave sufficient assurances and guarantees.

Any disclosure of the data breaches would have been detrimental to the progress of the acquisition. The share deal was completed, and the purchase price paid to the sellers before the scandal became public.

More hacks, extortion, and publicity

On 28 September 2019, the first blackmail attempt was made via email to the CEO and two other employees. A hacker claimed to have accessed and copied the entire database of patient information. Vastaamo reported the incident to the DPA in Finland the next day but did not inform its end-users/patients.

The first public announcement was made on 21 October, simply stating that there had been a breach. The announcement, however, did not include any details about what had been breached, how or when.

The buyers were the quickest to react with claims of “misleading information before [the] share purchase”, the CEO was kicked out and the buyers applied to the court for an injunction (freezing of Ville Tapio’s assets and bank accounts) and were successful. The entire purchase price was frozen.

Investigations and findings by authorities

Several authorities started their own investigations, namely the National Bureau of Investigation (police), the Data Ombudsman (Finnish DPA) and the National Cybersecurity Centre.

Due to the tens of thousands of victims, the police set up a web service for the submission of information, claims and to conduct virtual interviews. In February 2021, the bankruptcy proceedings of Vastaamo, which had lost all its business overnight.

It turned out that many patients had been extorted early on, and some of them had paid. There were patients who feared they would lose their jobs and/or their families if their secrets or mental health problems were found out. Not only was the trust of vulnerable patients tragically betrayed, but society had to find alternative services while dealing with the current scenario.

The hunt for the hacker continued, with many professionals working for companies other than the agencies involved in the investigation volunteering to help. There were early indications that the hacker was probably from Finland, as the hacker had made some mistakes and was arrogant.

The investigation found that:

The entire database was accessible to almost everyone, no access controls were implemented.
Patient data was not encrypted, it had been available on the net without any protection for at least 1.5 years.
There was no firewall in place between November 2017 and March 2019.
The CEO blamed his IT team, which was responsible for data security on paper, saying the missing firewall was due to changes made to the server by an IT worker.
Employees strongly refused to take the blame, but were told that the culture was not to oppose the CEO or question his opinions, they had asked for more resources in vain.
Admin username and password were the same word: “root”.
A security audit was carried out by the national health regulator, but it seemed to be a mere paper-based exercise.
No one had actually assessed the actual data security of the company or performed a physical audit (e.g., verifying access rights and password robustness).
No DPIA was carried out for the collection and processing of special category data.
In Finland, it was unclear to the authorities who was in charge when there was an overlap of responsibilities (police, DPA or cybersecurity or health security).

Ongoing legal proceedings and the hacker

The hacker was identified as a young Finnish man with a history of similar crimes, who had previously been a member of the Lizard Squad hacker group. He was arrested in February 2023 in France. The trial begins next week. Victims are disappointed and angry, it seems that compensation is very meagre. Some claim that fighting identity theft alone has costed them at least EUR 20.00-60.00 per year.

The cost to society is immense, as several authorities have been involved in investigations and court cases for multiple years. The CEO has lost his company, his reputation, the money seized and has been given a suspended prison sentence. Both the prosecutor and CEO Ville Tapio have appealed to the Helsinki Court of Appeal.

The DPA has issued several decisions on data breaches and GDPR violations, but the fines were very modest, only EUR 608,000. The explanation was that Vastaamo had cooperated in the investigation (but only after the incident became public). Although it was considered a serious breach, there were no compliant processes or documentation taking into account the nature of the personal data. It is a pragmatic view that there will be no money in the company due to bankruptcy proceedings, but many saw this as a weak explanation and the light fines as a bad signal.

Conclusions and lessons learned

The pragmatic lesson from this ongoing scandal is the need to conduct reliable physical audits of your critical service providers. This is especially true if they process special categories of personal data. There is no added value in asking superficial questions on written forms, as targets will say what sounds best and some are naturally inclined to hide their shortcomings. It is highly recommended to use reputable third-party audit services that give assurances and guarantees for audits which have been carried out by professionals.

It is always temptingly easy to criticise the decisions of others after the fact, but we can at least learn and be more diligent in our next projects. If someone had simply visited Vastaamo in person, sat next to the IT staff and asked them to access the services, they would at least have heard (if they were discreet enough not to watch) that the username and password were only four (4) characters each. Anyone with a rudimentary understanding of data security would have asked, “Excuse me, is your password really that short?”

The impact of the lack of DPIA was also critical in this case. No one had assessed the risks and/or the means to mitigate those risks, which would have consisted of clear policies that should have been pragmatically followed and updated.

To quote one safety professional: “If you were building a simple cafe, nobody would have relied on the contractor alone to say that fire safety requirements were fully met”.