Investigation into Helsinki Education Division data breach proceeds

On 2 May 2024, the City of Helsinki issued a notice of a data breach targeted at its Education Division. Investigation into the data breach proceeds through a cooperative effort by the City´s own and external experts. On Monday, 13 May 2024, the City of Helsinki held a press conference on the progress of this investigation.
Kaupungintalon ala-aula.
The City’s investigation into the breach will continue in cooperation with the authorities and further information will be shared as the investigation proceeds. Photo: Laura Oja

The City of Helsinki became aware of the data breach on 30 April 2024 and launched an investigation without delay. Various security measures were implemented and the Data Protection Ombudsman, the Police, and Traficom’s National Cyber Security Centre were duly notified. 

“We previously announced that the party behind the data breach has gained access to student and personnel usernames and email addresses. Further investigation has shown that the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division. Additionally, the perpetrator has also gained access to content on network drives belonging to the Education Division,” says the City of Helsinki’s Chief Digital Officer Hannu Heikkinen.

Data breach targets extensive group  

Most of the data on the network drive (tens of millions of files) are documents that do not contain personally identifying information or only contain ordinary personal information, the opportunity for abuse of which is not considered to be significant. However, some of the documents among those files do include confidential information or sensitive personal information.  

These include information about fees (and the grounds thereof) for customers of early childhood education and care, sensitive information about the status of children, such as information requests by student welfare or information about the need of special support and medical certificates regarding the suspension of studies for upper secondary students, as well as the sick leave records of Education Division personnel.  

We cannot rule out the possibility of the perpetrator gaining access to data of persons under a non-disclosure restriction.  

“The volume of data under investigation is significant. Unfortunately, we are currently unable to provide an accurate assessment of what data the perpetrator may have accessed. What we can tell you about at this time are the possible risks, so that personnel and customers of the Education Division can prepare for them. This procedure is in line with data protection law,” says Satu Järvenkallas, Executive Director of the Education Division.

Some customer and personnel data may be from years ago, which means that even if a particular person is not currently a customer or a member of staff at the Education Division, the perpetrator may have accessed their data.  

Data breach possible due to remote access vulnerability  

The breach of the Education Division network took place through a vulnerability in a remote access server. The server had a vulnerability which the culprit was able to exploit to connect to the Education Division network.  

“A hotfix patch has been available to eliminate this vulnerability, but it is not currently known why this hotfix was not installed on the server. Our security update and device maintenance controls and procedures have been insufficient. After the breach, we have taken measures to ensure that a similar breach is no longer possible,” said Hannu Heikkinen. “We have not discovered evidence that the perpetrator would have accessed the networks or data of other divisions. However, we are monitoring all City of Helsinki networks closely.”  

“This is a very serious data breach, with possible, unfortunate consequences for our customers and personnel. We regret this situation deeply. Considering the number of users in the city’s services now and in previous years, in the worst case, this data breach affects over 80,000 students and their guardians. The breach also affects all of our personnel, as the perpetrator gained access to all personnel usernames and email addresses,” says City Manager Jukka-Pekka Ujula. “Reaction to the data breach has been quick and all the necessary resources are being and will be used on protective measures. This is the highest priority for the city´s senior management,” Ujula continues.  

The city’s investigation into the breach will continue in cooperation with the authorities and further information will be shared as the investigation proceeds. The Helsinki Police Department is investigating the case as an aggravated computer break-in. The victim of the crime is currently the City of Helsinki, from whom the police receive all necessary information for the investigation of the case. At this stage of the preliminary investigation, city residents do not need to contact the police.

Information and help are available  

This data breach will certainly raise many questions among our customers and personnel. There is a comprehensive information package on data breach protection on the Cyber Security Centre website. Help and assistance is also available for persons affected by the data breach from our data breach customer service, crisis emergency services and through MIELI Mental Health Finland.

If you wish to discuss the issue with someone

Tiedotustilaisuus Helsingin kaupungin kasvatuksen ja koulutuksen toimialan tietomurron selvitystyön etenemisestä

Kansliapäällikkö Jukka-Pekka Ujula, digitalisaatiojohtaja Hannu Heikkinen sekä kasvatuksen ja koulutuksen toimialajohtaja Satu Järvenkallas antavat mediatilaisuudessa ajantasaista tietoa tietomurron selvitystyön tuloksista ja vaikutuksista sekä toimintaohjeita kasvatuksen ja koulutuksen toimialan asiakkaille. Lisäksi tilaisuudessa puhuu Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen tietoturva-asiantuntija, Matias Mesiä.