Possible target groups of the City of Helsinki data breach
Page updated on 17 December 2024.
Go to page for public notice for possible target groups of Education Division data breach
With progress made on the investigation into the 30 April data breach, it has emerged that the perpetrator may have gained access to a larger amount of information on the customers of the Education Division’s services. It is possible that the perpetrator has gained access to data on all persons of compulsory school age in Helsinki.
This set of data included the following information on learners from Helsinki born in 2005–2018 and their guardians:
- Personal IDs of the child and guardian.
- Addresses of the child and guardian (no phone numbers or email addresses). No addresses, phone numbers or email addresses of persons with a non-disclosure restriction were included.
- Native language of the child.
- Nationality of the child.
- Religious community of the child (evangelical Lutheran / orthodox / registered religious community / not part of a religious community).
Possibility of data breach also impacting private early childhood education, private schools and upper secondary schools, and private vocational schools. The data breach may have also accessed the following information:
- In addition to the other City of Helsinki employees, the data breach may also affect temporary employees who work, for example, as early childhood education and teaching substitutes (information found on school-specific substitute lists).
- Jobseekers’ recruitment information.
- Names and contact information found in commission contracts, partner documentation and procurement contracts.
- Child care benefit applications from multiple-birth families and applications for the Helsinki supplement for adopted children.
- In addition to customer data of the day-care, playground and school in Santahamina, the access permit data of visitors to these branches may have been accessed by the perpetrator of the data breach. This data may also include passport numbers for families with a foreign background.
- Students in integration training (KOTO) at the Swedish Adult Education Centre (Arbis) in Helsinki.
We urge all customers of the Education Division to stay vigilant. Leaked personal information may be used for email phishing, scams, or attempts at identity theft.
The City’s investigation into the breach will continue in cooperation with the authorities and further information will be shared as the investigation proceeds.
The City of Helsinki’s report submitted to the Office of the Data Protection Ombudsman on 8 July 2024 on the personal data stored on the breached network drive
The table below was submitted to the Data Protection Ombudsman on 8 July 2024 in response to the request for a report. The table summarises the data that was processed on the breached network drive. It is a summary of the categories of personal data stored on the network drive and which personal data was processed under these categories.
The perpetrator of the data breach gained access to only some of the data that was being processed on the breached network drive, and the table cannot be used to draw conclusions on which personal data from each category or on which specific persons the perpetrator gained access to. The investigation of the extent of the data breach continues.
A more detailed summary of the data that was processed on the breached network drive (pdf)
This table does not indicate whether the data breach perpetrator has in fact accessed information on certain groups of people.
On Monday, 13 May 2024, the City held a press conference on the results of this investigation.
On Tuesday, 21 May 2024, the City published a news regarding ongoing investigation showing wider target group for the City of Helsinki data breach.
On Tuesday, 18 June 2024, the City published a news item, stating that the data breach targeting the city has not expanded, and that no misuse of information has been detected.
On Monday 8 July 2024, the City published a news story to inform the Data Protection Ombudsman of its report.
On Friday 12 July 2024, the City published a news story to inform that investigative team commences investigation into the data breach against the City of Helsinki.
On Tuesday 17 December 2024, the City published a news story to inform that Helsinki City Board receives status update on Education Division data breach.
Page updated on 21 May. Information was added about possible target group expansion in the data breach affecting the city.
Page updated on 22 May. Added information about the garrison area in the Santahamina district of Helsinki and a separate mention that the data breach perpetrator may have obtained information on all students of compulsory education in the city.
Page updated on 18 June 2024. Information added about students in integration training (KOTO) at the Swedish Adult Education Centre (Arbis) in Helsinki.
Page updated on 19 June 2024. Public notice for possible target groups of the Education Division data breach added as a separate page.
Page updated on 7 July 2024. Information added about the City of Helsinki’s report submitted to the Office of the Data Protection Ombudsman, attached a table summarising the data that was processed on the breached network drive.
Page updated on 12 July 2024. The City of Helsinki told that investigative team commences investigation into the data breach against the City of Helsinki.
Page updated on 17 December 2024. The City of Helsinki told that Helsinki City Board receives status update on Education Division data breach.
This website will be updated regularly.
FAQ
We are not currently aware of any immediate effects on the City’s service production.
We are currently unable to determine whose personal information is affected by this data breach.
What we currently know is that if you are or have been a customer of the Education Division, your data may have been at risk.
There is a page on the City of Helsinki website on the rights of data subjects, Rights of data subjects and exercising these rights
To find out which of your information may have been held by the Education Division, it is your right to submit a request to verify personal information. Due to the scope of this incident, the processing time for these requests is 3 months.
We advise you to remain vigilant of possible phishing attempts, other scams, or attempted identity theft.
The City of Helsinki never asks for the users’ bank access codes, passwords, credit card number or other identifiers by phone, email, letter, or any other way. Take care that no one has access to these.
We urge you to be prepared for any suspicious contact. Be wary of any message that makes outlandish promises, urges you to act quickly, is from a suspicious address or seems otherwise vague. Do not open any links in such a message and delete them immediately.
To protect your personal information, use a strong password and do not reuse the same password for multiple devices or services. Change your password if you suspect that someone has your username and password.
Also read: Expert tips: What to do in the event of a data breach
The National Cyber Security Centre has a page with material and instructions for such a situation, Advice for victims of identity theft or data breaches(Link leads to external service). Make sure to also read the instructions at https://www.suomi.fi/guides/data-leak(Link leads to external service).
We have no specific information about which persons' information has been affected by the data breach at this point, nor do we know the damages that might have been caused by the breach. If it later turns out that the data breach has caused damage that can be compensated for, it will be possible to file a claim for damages. The City of Helsinki will handle each possible claim on a case-by-case basis.
The systems that enabled the unauthorised access were closed immediately after the situation was discovered. Additionally, technical measures have been taken to limit the damage, and passwords have been changed in critical systems that may have been accessed. The City has notified the Data Protection Ombudsman and the National Cyber Security Centre, as well as filed a crime report with the Police. The City has also retained external data security experts to assist with the breach investigation.
There is no evidence that the culprit would have accessed the networks or data of other divisions. However, we are monitoring all City networks closely.
Information and guidelines on what to do are available
- Education Division advisory services, Mon–Fri at 10 am–12 pm, 1 pm–3 pm, tel. +358 9 310 44986 or kaskotietoturvatilanne@hel.fi(Link opens default mail program)
- Traficom Cyber Security Centre: Advice for victims of identity theft or data breaches(Link leads to external service)and Data breaches page(Link leads to external service)
- Suomi.fi, Guides, Data leak(Link leads to external service)
- MIELI crisis helpline, 24/7, tel. +358 9 2525 0111
- Sekasin chat, sekasin.fi(Link leads to external service), weekdays at 9 am – midnight, Sat and Sun 3 pm – midnight
- Sekasin-chatten på svenska, sekasin.fi/se(Link leads to external service), må-sö klo 3 pm – 7 pm
- City of Helsinki Crisis Emergency Service, 24/7, tel. +358 9 310 44222