Education Division data breach

On 2 May 2024, the City of Helsinki issued a notice of a data breach targeted at its Education Division. Find the latest information on the situation and responses to the most frequently asked questions on this page.

On this page

Possible target groups of the City of Helsinki data breach

Page updated on 19 June 2024.

Go to page for public notice for possible target groups of Education Division data breach

With progress made on the investigation into the 30 April data breach, it has emerged that the perpetrator may have gained access to a larger amount of information on the customers of the Education Division’s services. It is possible that the perpetrator has gained access to data on all persons of compulsory school age in Helsinki.

This set of data included the following information on learners from Helsinki born in 2005–2018 and their guardians:

  • Personal IDs of the child and guardian.
  • Addresses of the child and guardian (no phone numbers or email addresses). No addresses, phone numbers or email addresses of persons with a non-disclosure restriction were included.
  • Native language of the child.
  • Nationality of the child.
  • Religious community of the child (evangelical Lutheran / orthodox / registered religious community / not part of a religious community). 

Possibility of data breach also impacting private early childhood education, private schools and upper secondary schools, and private vocational schools. The data breach may have also accessed the following information:

  • In addition to the other City of Helsinki employees, the data breach may also affect temporary employees who work, for example, as early childhood education and teaching substitutes (information found on school-specific substitute lists).
  • Jobseekers’ recruitment information.
  • Names and contact information found in commission contracts, partner documentation and procurement contracts.
  • Child care benefit applications from multiple-birth families and applications for the Helsinki supplement for adopted children.
  • In addition to customer data of the day-care, playground and school in Santahamina, the access permit data of visitors to these branches may have been accessed by the perpetrator of the data breach. This data may also include passport numbers for families with a foreign background.
  • Students in integration training (KOTO) at the Swedish Adult Education Centre (Arbis) in Helsinki.

We urge all customers of the Education Division to stay vigilant. Leaked personal information may be used for email phishing, scams, or attempts at identity theft.

The City’s investigation into the breach will continue in cooperation with the authorities and further information will be shared as the investigation proceeds.  

On Monday, 13 May 2024, the City held a press conference on the results of this investigation.

On Tuesday, 21 May 2024, the City published a news regarding ongoing investigation showing wider target group for the City of Helsinki data breach

On Tuesday, 18 June 2024, the City published a news item, stating that the data breach targeting the city has not expanded, and that no misuse of information has been detected.

Page updated on 21 May. Information was added about possible target group expansion in the data breach affecting the city.

Page updated on 22 May. Added information about the garrison area in the Santahamina district of Helsinki and a separate mention that the data breach perpetrator may have obtained information on all students of compulsory education in the city.

Page updated on 18 June 2024. Information added about students in integration training (KOTO) at the Swedish Adult Education Centre (Arbis) in Helsinki.

Page updated on 19 June 2024. Public notice for possible target groups of the Education Division data breach added as a separate page.

This website will be updated regularly.


We are not currently aware of any immediate effects on the City’s service production.

We are currently unable to determine whose personal information is affected by this data breach.

What we currently know is that if you are or have been a customer of the Education Division, your data may have been at risk.

There is a page on the City of Helsinki website on the rights of data subjects, Rights of data subjects and exercising these rights

To find out which of your information may have been held by the Education Division, it is your right to submit a request to verify personal information. Due to the scope of this incident, the processing time for these requests is 3 months.

We advise you to remain vigilant of possible phishing attempts, other scams, or attempted identity theft. 
The City of Helsinki never asks for the users’ bank access codes, passwords, credit card number or other identifiers by phone, email, letter, or any other way. Take care that no one has access to these.

We urge you to be prepared for any suspicious contact. Be wary of any message that makes outlandish promises, urges you to act quickly, is from a suspicious address or seems otherwise vague. Do not open any links in such a message and delete them immediately.

To protect your personal information, use a strong password and do not reuse the same password for multiple devices or services. Change your password if you suspect that someone has your username and password.

Also read: Expert tips: What to do in the event of a data breach

The National Cyber Security Centre has a page with material and instructions for such a situation, Advice for victims of identity theft or data breaches(Link leads to external service). Make sure to also read the instructions at leads to external service).

We have no specific information about which persons' information has been affected by the data breach at this point, nor do we know the damages that might have been caused by the breach. If it later turns out that the data breach has caused damage that can be compensated for, it will be possible to file a claim for damages. The City of Helsinki will handle each possible claim on a case-by-case basis.

The systems that enabled the unauthorised access were closed immediately after the situation was discovered. Additionally, technical measures have been taken to limit the damage, and passwords have been changed in critical systems that may have been accessed. The City has notified the Data Protection Ombudsman and the National Cyber Security Centre, as well as filed a crime report with the Police. The City has also retained external data security experts to assist with the breach investigation.

There is no evidence that the culprit would have accessed the networks or data of other divisions. However, we are monitoring all City networks closely.

Information and guidelines on what to do are available