Data breaches - what are they?

The City of Helsinki Education Division reported they had been the target of a serious data breach at the start of May. The City held a briefing of the situation on 13 May 2024. The City has reported of the case to the Data Protection Ombudsman and the National Cyber Security Centre Finland, as well as reported the offence to the police. The police are investigating the extent of the data breach and its effects together with the City of Helsinki. 

According to the City of Helsinki, the breach into the Division’s data network happened through a remote access server. The attacker gained entry into the system by exploiting the vulnerability in the server. This case is under investigation.

The NCSC-FI supports the City of Helsinki in investigating the situation.

What is a data breach?

Data breach means the unauthorised intrusion into:

• an information system
• service
• device, or 
• the unauthorised use of an application with the credentials obtained. 

Data breaches are also made by hacking past security systems in various ways, for example by exploiting vulnerabilities. Over the past six months, serious and easily exploitable vulnerabilities have been detected in many major device manufacturers' network edge devices, such as VPN gateways, the exploitation of which has been widely observed in various cyberattacks. Critical vulnerabilities in network edge devices such as these form a risk to the cybersecurity of organisations. For example, by exploiting vulnerabilities in VPN products for secure remote access, it is also possible for people outside the organisation to gain access to the organisation's network, especially if no other measures limiting attacks are in place. Making sure the necessary security patches are installed is very important. 

Data breaches have many consequences

A data breach can result in, for example, financial damage to the organisation, interruptions in operations, and damage to their reputation. Stolen information may be published or the person holding the information can blackmail the victim by demanding a ransom.

A data breach can result in a data leak if the attacker gets a hold of confidential information in the information system. In a data leak, the attacker may get a hold of personal information, invoicing information, account information, payment cards, business secrets, or other confidential and valuable information. A data leak should be reported to the Office of the Data Protection Ombudsman.

Data breaches against a private person can be used, for example, in identity theft, in which case the other person tries to impersonate the person who was the subject of the data breach. A data breach can also be purely intimidation. When a private individual is the victim of a data breach, they may experience problems with systems that are not working or personal information that has fallen into the wrong hands.

The motive of the perpetrator may be, for example, harassment, blackmail, or even espionage by a state actor. Data breaches are done by criminals, state actors and even individual people.

Investigating data breaches

Determining the perpetrator of a data breach is often challenging, and, for example, it is often not possible to directly determine where a data breach was made from based on the location of the IP address. The investigation may be challenging and time-consuming, which is why the severity or effects of the situation often become more specific only when the case is being investigated.

The data breach requires an investigation into the target system and often close cooperation between the victim organisation, authorities and those helping to recover from the occurrence.

Protecting oneself against data breaches

For a private person, the most effective way is multi-factor authentication and general information security. Organisations use different measures that limit access.

Criminals search the web tirelessly for unupdated systems that could be their target. Criminals aim to exploit the vulnerabilities before they have been corrected. Attempts to actively exploit the vulnerability will begin at the latest when the vulnerability has become public. However, the quick updating of systems is very important and you should be ready to update them constantly, including during general holiday periods. Unfortunately, the mere updating of systems is seldom enough to protect them, but the systems should be investigated whenever a vulnerability is made public. This way you can be sure that the vulnerability has not already been exploited, and that no backdoors, i.e. hidden entryways, have been installed into the system.

“Severe and easily exploitable vulnerabilities have been identified in network edge devices, such as VPN gateways, from many major device manufacturers over the past six months. That is why it is important that we pay particular attention to resources and competence in organisations,” reminds Director Samuli Bergström from the National Cyber Security Centre Finland.

The purpose of NCSC-FI’s CERT, i.e. Coordination Centre, activities is to prevent information security incidents and to disseminate information on information security matters. CERT handles information security incident reports and supports the organisations which have made the report in investigating the incident. The NCSC-FI also distributes information to citizens and on its part guides individuals on what they can do if their information has been the target of a data breach or a leak.