The data breach targeting the City of Helsinki has not expanded – No misuse detected

The City of Helsinki has continued to cooperate with authorities regarding the data breach targeting the Education Division. The police are investigating the incident as an aggravated computer break-in, and the National Bureau of Investigation is responsible for communication related to the progress of the criminal investigation. According to current information, the data obtained by the criminal party has not been misused.
Hands typing on a computer keyboard.
The city is enhancing the management of information security and data protection, as well as providing information security training for staff. Photo: Jukka Eggert

– The network drive that was the target of the breach at the end of April has been restored, and its content is currently being analysed. However, due to the large amount of data, it will take some time to complete the investigation, says Hannu Heikkinen, Chief Digital Officer.

The data breach was made possible by an outdated remote access server, which has now been decommissioned.

The outdated remote access server was scheduled to be decommissioned in conjunction with the migration of the Education Division’s data centres to a centralised digital infrastructure management function. However, changes to the migration schedule resulted in the server remaining in use.

The related liability issues will be thoroughly reviewed.

The city is enhancing the management of information security and data protection, as well as providing information security training for staff

The city’s management has action programmes to ensure information security and data protection across all divisions.

– In addition, we are exploring the transfer of the ICT environment and operational ICT work of the Education Division to the city-owned DigiHelsinki company, which began operations at the start of 2023, says City Manager Jukka-Pekka Ujula

– It is also important that the budget appropriations for 2025 are sufficient to implement the necessary data protection and security investments. Some of the city’s measures are related to accelerating already existing plans, says Mayor Juhana Vartiainen.

Authorities’ guidelines to support potential victims of the data breach

Understandably, the data breach has caused a lot of concern and questions among residents and city staff.

– The most frequent question we receive is what I need to do in this situation. The second question concerns communication – why have I not been contacted even though my data may have been compromised? In accordance with the General Data Protection Regulation, we have provided as much information as possible to the customer groups whose data may have been compromised, says Satu Järvenkallas, Head of Education Division. 

The city has published the potential target groups of the data breach on its webpage so that customers can identify if they are likely part of the breach and can consider the actions recommended by the authorities. These guidelines are available on the website of Traficom’s National Cyber Security Centre and on the website maintained by the Digital and Population Data Services Agency, where the authorities have cooperated to compile guidance for the victims of the data breach. Links to these sites can also be found on the page.

Together with other authorities, the city recommends actively protecting personal data. It is especially important for those potentially affected by the breach to be vigilant against phishing, fraud and identity theft attempts. It is also important to remember that the City of Helsinki will never ask customers for bank details, passwords, credit card numbers or other identifiers by phone, email, mail or other means.

When the City was made aware of the data breach on 30 April, an investigation was launched immediately. Various security measures were implemented and the Data Protection Ombudsman, the Police, and Traficom’s National Cyber Security Centre were duly notified.  The City has prepared press releases on the matter on 2 May, 13 May and 21 May 2024.

Data protection legislation requires the City to notify the possible targets of the data breach. Identifying the individual customers that have been targeted in this case is not possible, which means they will be informed with a public notice at leads to external service).This website will be updated as the investigation proceeds.