Alexey Fedorenko - stock.adobe.c
Helsinki braced for elevated cyber attacks
The City of Helsinki is increasing its collaboration with cyber security and crime investigators following a major attack on its systems
The City of Helsinki is collaborating with Finland’s National Cyber Security Centre and the National Bureau of Investigation to identify the “bad actors” that hacked a remote server managed by the municipality.
The scale of the attack, which triggered a massive breach of a City of Helsinki (CoH) database, has resulted in the Finnish government ordering municipalities to stress and risk test primary IT networks for vulnerabilities against threats from the cyber domain.
This year has so far seen a significant increase in cyber attacks against both public and private IT networks across the Nordic countries. The elevated level of threat is happening against the backdrop of deepening talks between Nordic governments to develop joint solutions to counter bad actor events and help private and public organisations strengthen data security connected to their IT networks.
In July, Nordic national cyber security centres raised the threat level for destructive cyber attacks from low to medium, a development aimed at raising greater awareness among those public and private organisations most susceptible to hybrid attacks.
The cyber attack against the CoH, which originated in April 2024 but was made public in June, specifically targeted the municipality’s Education Resource Division (ERD). The key findings of the preliminary investigation led by the CoH’s IT Security unit and the National Cyber Security Centre (NCSC) revealed that the hack and data breach was enabled by an outdated remote access server. The problem server was promptly shuttered and removed from the main IT network.
The preliminary investigation has established that no part of the data captured in the hack, estimated by the CoH to comprise “tens of millions of documents”, has so far been “misused” or fraudulently exploited for commercial gain on the “dark web”.
The captured data included personal contact information, excluding telephone numbers and email addresses, relating to children born in the greater Helsinki area between the years 2005 and 2018. The information hacked included “client identification” codes for children, parents and guardians. The data theft included passport numbers linked to families on the ERD’s database with “foreign backgrounds”.
Change in maintenance schedules
The obsolete server had been earmarked for decommissioning ahead of the breach, but the server’s removal was delayed by a change in maintenance schedules that caused it to remain in use, said Hannu Heikkinen, the CoH’s chief digital officer.
“The network drive and its content are being analysed,” he said. “Due to the huge amount of data, it will take some time to complete our investigation.”
The preliminary investigation established that the cyber criminals used security vulnerabilities in the outdated server to capture sensitive personal data using a remote server. A software patch was available to prevent a data breach on the vulnerable server, but the fix was not implemented in advance of the hack, said Heikkinen.
The cyber attack against the CoH is the most serious breach, in terms of data capture, experienced by any municipality in Finland to date. The CoH estimates that the hack against the ERD resulted in the theft of case files relating to 150,000 compulsory age school children, their parents and guardians. In addition, the hack captured data on all of the 38,000 staff on the city’s payroll.
The CoH’s post-hack IT database security rebuild is running parallel with compliance actions undertaken by the city to meet its General Data Protection Regulation (GDPR) obligations. The CoH had contacted all “client groups”, whose data was captured or compromised in the hack, by the end of July.
Read more about cyber security in Finland
- The Finnish government is attempting to centralise its fight against increasing cyber threats to its infrastructure.
- Finnish research and development, as well as critical infrastructure, are being targeted by state-backed cyber espionage attacks, says report.
- Security concerns have re-emerged to further frustrate the Finnish government’s plans to launch a national e-voting system.
The cyber strike against the ERD is the latest in a wave of serious cyber strike events in 2024 that started in January with a malicious ransomware attack on technology group Tietoevry’s datacentres in Sweden. The company detected the sustained attack on the night of 19 January. Tietoevry’s IT-Network Security Team was able to halt the attack in the early hours of 20 January, limiting its impact.
Tietoevry restored activities under a rebuilt platform within 24 hours of the attack, and was able to reinstate in excess of 90% of the affected servers from backups within four days of the attack, which did not affect other parts of the company’s infrastructure.
The Helsinki-headquartered Tietoevry invested €100m into the development of datacentres, cyber security and attack-resilient IT infrastructure during the period between 2022 and 2023, said Kimmo Alkio, Tietoevry’s CEO.
“Cyber security has become a fundamental enabler of the digital society,” he said. “As a prominent Nordic player, we take seriously the responsibility we have to be at the forefront of digital security and continuous improvement.”
New legislation
The cyber strike against the CoH and the ERD has accelerated the Finnish government’s pre-existing plan to introduce new legislation to penalise those municipalities who fail to protect the personal data of their “clients”. Under current laws, which exempt municipalities, fines of up to €20m can be imposed on private organisations that fail to secure client data.
Based on its present legislative reform programme, the Finnish government is on course to extend failure to protect data legislation and penalties to municipalities by year-end 2024 or during the first half of 2025.
Although the Office of the Data Protection Ombudsman (ODPO) is currently investigating the shortcomings in the CoH’s IT network that enabled the hack against the ERD to take place, the city is unlikely to face retroactive fines should the ODPO’s probe determine it failed to implement sufficient data security measures and safeguards to adequately defend against threats from bad actors in the cyber sphere.
In June, the ODPO confirmed it had received 6,900 individual data breach reports in 2023 from private and public organisations in Finland. This represented an increase of 1,400 reports compared with 2022. The largest number of data breaches notified to the ODPO were mainly from public organisations operating in Finland’s social welfare and healthcare sectors, followed by enterprises in the financial and telecommunications areas.
“The sharp rise can be explained by increasing awareness among Finland’s public and private companies coupled with a greater understanding of their duties to report suspected data breaches,” said Heljä-Tuulia Pihamaa, the ODPO’s deputy director. “Currently, human error is the most common cause of data breaches.”
The National Bureau of Investigation has identified Russia and China as the two main sources of cyber threats against Finnish and Nordic targets. The state security agency suspects state funded bad actors in Russia of being behind cyber attacks and database breaches against Nordic organisations, including logistics companies in neighbouring Estonia, since 2022.
Mikko Hyppönen, the chief research officer at Finnish cyber security specialist WithSecure, said Russia has been using malware in cyber attacks on targets in Eastern European countries since before mid-2022. “We are seeing an escalation in activity at present that is more than just data collection, surveillance and intelligence gathering,” he said.