Ongoing investigation shows wider target group for the City of Helsinki data breach

With progress made on the investigation into the 30 April data breach, it has emerged that the perpetrator may have gained access to a larger amount of information on the customers of the Education Division’s services. The possible number of people impacted by the data breach is likely to rise.
Hands writing on a computer keyboard.
The City’s investigation into the breach will continue in cooperation with the authorities and further information will be shared as the investigation proceeds. Photo: Jukka Eggert

It is possible that the perpetrator has gained access to data on all persons of compulsory school age in Helsinki. The City of Helsinki stores information on persons of compulsory school age from Helsinki, and their parents, based on the City’s duty to monitor the achievement of compulsory education. This data was stored on a City network drive that was impacted by the data breach. 

This set of data included the following information on learners from Helsinki born in 2005–2018 and their guardians:

  • Personal IDs of the child and guardian.
  • Addresses of the child and guardian (no phone numbers or email addresses). No addresses, phone numbers or email addresses of persons with a non-disclosure restriction were included.
  • Native language of the child.
  • Nationality of the child.
  • Religious community of the child (evangelical Lutheran / orthodox / registered religious community / not part of a religious community). 

Possibility of data breach also impacting private early childhood education, private schools and upper secondary schools, and private vocational schools

In addition to the City’s early childhood education units, schools and educational institutions, regarding private day-cares, contractual schools in Helsinki, private and state-run schools as well as private upper secondary schools and vocational schools.

This group additionally includes all students who have applied for weighted curriculum education as well as learners from Helsinki undergoing home schooling. The data breach may also impact learners from Helsinki that study in other cities. 

Other possible target groups

Targets may include students and apprentices from Helsinki Vocational College and Adult Institute, customers of Swedish Adult Education Centre Arbis, as well as families that have participated in clubs activities arranged by early childhood education.

In addition to customer data of the day-care, playground and school in Santahamina, the access permit data of visitors to these branches may have been accessed by the perpetrator of the data breach. This data may also include passport numbers for families with a foreign background.

Ongoing investigation – secure your personal data

According to current estimates, it is possible that the data breach impacts roughly 150,000 learners as well as their guardians. As the City has previously stated, all roughly 38,000 city personnel were also impacted by the data breach. 

“The investigation into the breach will continue in cooperation with the authorities and further information will be shared as the investigation proceeds. The City and other authorities’ recommendation is that you begin actively securing your personal data, even though the investigation into the data breach is still ongoing,” says City Manager Jukka-Pekka Ujula.  

The National Bureau of Investigation and the Police are investigating the case as an aggravated computer break-in, and communications on the criminal investigation will be provided by the Police. The victim of the crime is currently the City of Helsinki, from whom the police receive all necessary information for the investigation of the case. The City of Helsinki has duly reported the crime to the police, which is being used as the basis for the investigation. City residents do not need to file police reports.

When the City was made aware of the data breach on 30 April, an investigation was launched immediately. Various security measures were implemented and the Data Protection Ombudsman, the Police, and Traficom’s National Cyber Security Centre were duly notified.  The City has prepared press releases on the matter on 2 May and 13 May 2024.

Data protection legislation requires the City to notify the possible targets of the data breach. Identifying the individual customers that have been targeted in this case is not possible, which means they will be informed with a public notice at leads to external service). This website will be updated as the investigation proceeds.