Vastaamo data breach

Vastaamo data breach
Date
  • November, 2018 (first intrusion)
  • March, 2019 (second penetration)
  • October 21, 2020 (became public)
LocationFinland
Typecyberattack, data breach, ransomware
TargetVastaamo
SuspectsAleksanteri Kivimäki [fi]

Vastaamo was a Finnish private psychotherapy service provider founded in 2008.[1] On 21 October 2020, Vastaamo announced that its patient database had been hacked. Private information obtained by the perpetrators was used in an attempt to extort Vastaamo and, later, its clients.[2] The extorters demanded 40 bitcoins, roughly worth 450,000 euros at the time, and threatened to publish the records if the ransom was not paid. To add pressure to their demands, the extorters published hundreds of patient records a day on a Tor message board.

After extortion of the company failed, the extorters sent emails to the clients whose data they had obtained, demanding that they pay ransoms in order to avoid publication of their sensitive personal data.[3][4][5][6] These ransom demands were sent to roughly 30,000 victims.[6] The company's security practices were found to be inadequate: the sensitive data was not encrypted and anonymized[7][6] and the system root did not have a defined password.[8][9][10] The patient records were first accessed by intruders in November 2018, while the security flaws continued to exist until March 2019.[5]

In December 2021, the Finnish Data Protection Authority (DPA) fined Vastaamo 608,000 euros for violating the provisions of the General Data Protection Regulation (GDPR).[9][10] This cyber-attack became the biggest criminal case in Finland history. It also turned into an international scandal and a cyber-attack unprecedented in its scope due to the tactic called double extortion applied by the cyber criminals.[11]

On October 28, 2022, the National Bureau of Investigation named the suspect behind the breach as 25-year-old Aleksanteri Julius Kivimäki.[12][13] Kivimäki was charged in absentia at Helsinki District Court for aggravated data breach, aggravated attempted extortion, aggravated distribution of information infringing private life, blackmail, breach of confidentiality and falsification of evidence.[12][14] An arrest warrant was filed with Europol and Interpol against Kivimäki stating that he was in Dubai.[14][13] In 2015, Kivimäki, then a member of Lizard Squad, was found guilty on over 50,000 counts of computer crime.[13][15]

Kivimäki was arrested in France on 3 February 2023.[16] He was extradited to Finland on 24 February.[17]

Background

Vastaamo, a Finnish company that provided private mental-health services to its patients, founded in 2008.

Vastaamo was a Helsinki-based private psychotherapy center founded in 2008 that provided private mental-health services to its patients.[1] It was a firm with twenty-five therapy centers throughout the Nordic country of 5.5 million people.[18] Vastaamo operated as a sub-contractor for Finland's public health system.[19] Ville Tapio, ex-CEO of Vastaamo first heard from the hacker on 28 September 2020. He immediately notified various government authorities, including the police.[6] On 21 October 2020, Vastaamo announced that its confidential treatment records of approximately 36,000 psychotherapy patients and 400 employees[20] had been compromised.[11] The psychotherapy center received a ransom demand for 450,000 euros in Bitcoin.[19] The leaked patient database contained psychotherapy clients’ personal information, such as their full names, home addresses, email addresses, social security numbers, names of the clinics where they received treatments, and therapists’ and doctors’ notes from each session.[21][6]

As the company resisted to pay the ransom, the hacker, using the alias “ransom_man,”[18] published the therapist session notes of at least 300 patients,[22] including politicians and police officers,[23] on a public forum through the Tor network. The therapist session notes contained information about adulterous relationships, suicide attempts and pedophilic thoughts.[6] The hacker approached victims of the security breach directly with extortion emails demanding ransoms of 200 euros paid in Bitcoin, with the amount increased to 500 euros unless paid within 24 hours.[19] A 10-gigabyte data file containing private notes between at least 2,000 patients and their therapists had appeared on websites on the “dark web.”[18] Patient information was stolen during two attacks, which started as early as 2018. This first intrusion on Vastaamo's database took place in November 2018, and the systems were penetrated between the end of November 2018 and March 2019.[19][5] PTK Midco, a holding company owned by Intera Partners, a Finnish private equity firm, which acquired a 70% stake in Vastaamo in May 2019. The company has asked for inquiry into acquisition and also requested that its acquisition of the company be cancelled and the purchase price be returned for failure to disclose hacking.[23]

Ville Tapio was relieved of his duties as the chief executive of the psychotherapy center on 26 October 2020.[24] Vastaamo was declared bankrupt by the decision of the Helsinki District Court in February 2021.[10] In early March 2021, its staff and services were transferred to Verve, a provider of occupational welfare services. The company's patient database was not transferred over to Verve.[6]

Impact

The security breach has shaken societal trust in Finland's institutions, violated sensitive systems, and damaged faith in online social networks that are supposed to be properly secured. Thousands of victims have suffered anxiety, insecurity, and stress from this traumatic event, and the psychological effects from the trauma are long-lasting.[25] This created a national opportunity for public discussion about mental health issues.[25] Additionally, weak security of health-care systems has been brought to the surface. This hacking incident had a wide impact on healthcare industry's obligations to secure their networks and increase their accountability.[23] The security breach served as a wake-up call for Finland's cyber security who then increased preparation for digital attacks on medical healthcare providers and private education institutions.[26][27] Focus on balancing availability of information and data governance[21] has increased along with investments in companies' computer security since the hacking incident occurred. As a result of the data breach, the Finnish Data Protection Authority (DPA) started taking the violations of the GDPR more seriously and increased enforcement activities.[10] The outcomes of investigations of the security breach, and also any sanctions established, now serve as a reference point to any future legal assessments.[23]

Responding to the hack

Immediately following the hack, the cabinets from the Finnish government held their regular Wednesday meeting to address cybersecurity issues, create new legislation regarding data security and identity thefts, and promise emergency support for the victims.[26][28] More than 22,600 victims of blackmail in 2020 have visited The Victim Support Finland (RIKU), an organization that provides counseling and support to victims of crimes.[25] Various Finnish organizations have quickly established ways to help the victims, including direct dial-in numbers to churches and therapy services.[19] Organizations that provide victim support services include Finnish Red Cross, Mental Health Finland, Victim Support Finland and the Evangelical Lutheran Church of Finland.[29] Additionally, many companies working with social security numbers and debt collecting had taken action to help the victims whose identities have been stolen.[28] In order to rebuild public trust in the government and authorities, the Finnish central government requested that government agencies make sure the processing and handling of personal information is secure to minimize the leakage of personal data.[29] Additionally, ministries conducted reviews on what they can do better within their own departments and how they can assure the public about the security of their personal data.[29] The Finland's National Bureau of Investigation introduced an unprecedented Finnish criminal code, where a person can be found guilty of the privacy violation of the data subject when they process personal data, either intentionally or through gross negligence, and cause damage or significant inconvenience to the data subject.[23] Furthermore, the Finnish government accelerated legislation that allowed its citizens to change their personal identity codes when there is a data breach that would involve high risk of identity theft.[23]

In February 2023, 25-year-old Aleksanteri Kivimäki was extradited to Finland from France. He has since been kept in custody over crimes related to the hacking of patient records from the Vastaamo psychotherapy centre.[30]

In April 2023, Helsinki District Court sentenced the ex-CEO of Vastaamo, Ville Tapio, to a three-month suspended sentence. He was found guilty of a data protection crime mandated in the General Data Protection Regulation (GDPR).[31]

In October 2023, Aleksanteri Kivimäki was charged with stealing records of psychotherapy patients and over 21,000 counts of extortion.[32] His trial was scheduled to start on 13 November.[32]

In April 2024 Aleksanteri Kivimäki was sentenced to six years and three months in prison.[33] Author and information technology consultant Petteri Järvinen [fi] has used the relatively light sentence as proof that cybercrime often has no serious consequences for the perpetrator in Finland, even if the victims suffer from its results for the rest of their lives.[34]

See also

References

  1. ^ a b "Psykoterapiakeskus Vastaamo Oy | Yrityksen tiedot". IS Taloussanomat (in Finnish). Retrieved 2020-10-28.
  2. ^ Teivainen, Aleksi (2021-01-06). "HS: Owner of Psychotherapy Centre Vastaamo asks for inquiry into acquisition". Helsinki Times. Retrieved 2022-03-31.
  3. ^ "Psychotherapy centre's database hacked, patient info held ransom". Yle Uutiset. 21 October 2020. Retrieved 2020-10-28.
  4. ^ Kleinman, Zoe (2020-10-26). "Therapy patients blackmailed for cash after clinic data breach". BBC News. Retrieved 2020-10-28.
  5. ^ a b c Sipilä, Jarkko (2020-10-27). "Therapy patients in Finland blackmailed after data breach". CNN. Retrieved 2020-10-28.
  6. ^ a b c d e f g Ralston, William. "They Told Their Therapists Everything. Hackers Leaked It All". Wired. ISSN 1059-1028. Retrieved 2022-02-23.
  7. ^ "Tietoturva | Terapiapotilaisiin kohdistunut tietomurto on voinut vaarantaa tuhansien ihmisten tietosuojan, kyseessä on täysin "poikkeuksellinen tapahtuma"". Helsingin Sanomat (in Finnish). 2020-10-22. Retrieved 2020-10-24.
  8. ^ "Kiristäjä julkaisi suomalaisten arkaluontoisia terapiakeskusteluja – vaatii 450 000:ta euroa tai jatkoa seuraa". Ilta-Sanomat (in Finnish). 2020-10-21. Retrieved 2020-10-24.
  9. ^ a b "Psykoterapiakeskus Vastaamolle seuraamusmaksu tietosuojarikkomuksista" (in Finnish). 2021-12-16.
  10. ^ a b c d "Administrative fine imposed on psychotherapy centre Vastaamo for data protection violations | Data Protection Ombudsman's Office". Tietosuojavaltuutetun toimisto. Retrieved 2022-03-29.
  11. ^ a b Alexis (2020-12-22). "The cyber attack that rocked the nation". Helsinki Times. Retrieved 2022-03-31.
  12. ^ a b "Tällainen on Julius Kivimäki, jota epäillään Vastaamon tietomurrosta". Iltalehti (in Finnish). Retrieved 2022-11-21.
  13. ^ a b c "Court detains Finnish man in absentia as suspect in psychotherapy centre data hacks". Yle News. 2022-10-28. Retrieved 2022-11-21.
  14. ^ a b "Etsintäkuulutettu Julius Kivimäki kertoo elinoloistaan HS:lle: väittää omistavansa rahastoihin liittyvän yrityksen". Ilta-Sanomat (in Finnish). 2022-11-13. Retrieved 2022-11-21.
  15. ^ "Hacker Charged With Extorting Online Psychotherapy Service". Krebs on Security. 3 November 2022. Retrieved 2022-11-21.
  16. ^ "French police arrest Finnish psychotherapy centre hacking, extortion suspect". Yle.fi. Yle. 3 February 2023. Retrieved 3 February 2023.
  17. ^ "Vastaamon tietomurrosta epäilty Aleksanteri Kivimäki on tuotu Suomeen" (in Finnish). MTV. 2023-02-25. Retrieved 2023-02-28.
  18. ^ a b c Helsinki, AFP in (2020-10-26). "'Shocking' hack of psychotherapy records in Finland affects thousands". the Guardian. Retrieved 2022-03-31.
  19. ^ a b c d e "Finland shocked by therapy center hacking, client blackmail". AP NEWS. 2021-04-20. Retrieved 2022-03-31.
  20. ^ "Ransomware Moves from 'Economic Nuisance' to National Security Threat". VOA. 22 May 2021. Retrieved 2022-03-31.
  21. ^ a b Teivainen, Aleksi (2020-10-23). "Hacking may have compromised privacy of thousands of psychotherapy clients in Finland". Helsinki Times. Retrieved 2022-03-31.
  22. ^ "Vastaamo Breach: Hackers Blackmailing Psychotherapy Patients". threatpost.com. 26 October 2020. Retrieved 2022-03-31.
  23. ^ a b c d e f "A dying man, a therapist and the ransom raid that shook the world". Wired UK. ISSN 1357-0978. Retrieved 2022-04-11.
  24. ^ Teivainen, Aleksi (2020-10-27). "IS: Vastaamo fires CEO, saying he knew about hacking for 18 months". Helsinki Times. Retrieved 2022-03-31.
  25. ^ a b c "Extortion of therapy patients in Finland shakes culture of privacy". Christian Science Monitor. 2021-03-19. ISSN 0882-7729. Retrieved 2022-03-29.
  26. ^ a b Milne, Richard (2020-10-26). "Finland police hunt blackmailer who hacked psychotherapy centre's records". Financial Times. Retrieved 2022-03-29.
  27. ^ "Vastaamo Breach: Hackers Blackmailing Psychotherapy Patients". threatpost.com. 26 October 2020. Retrieved 2022-03-29.
  28. ^ a b "Vastaamo Data Breach: What We Know So Far". Finland Today | News in English | finlandtoday.fi. October 28, 2020. Retrieved 2022-04-11.
  29. ^ a b c Teivainen, Aleksi (2020-10-26). "Ohisalo: Finnish government to talk about hacking on Wednesday". Helsinki Times. Retrieved 2022-03-29.
  30. ^ "Aleksanteri Kivimäki remanded into custody over Vastaamo hack". Yle Uutiset. 28 February 2023. Retrieved 2023-04-19.
  31. ^ "Hacked therapy centre's ex-CEO gets 3-month suspended sentence". Yle Uutiset. 18 April 2023. Retrieved 2023-04-19.
  32. ^ a b "Man accused of Finland psychotherapy hack charged with 21,000 counts of extortion". The Guardian. Agence France-Presse. 2023-10-18. Retrieved 2024-03-09.
  33. ^ "Tällaisen tuomion Julius Kivimäki sai". Ilta-Sanomat (in Finnish). 30 April 2024. Retrieved 2024-04-30.
  34. ^ "It-rikos kannattaa". Tivi (in Finnish). 7 June 2024. Retrieved 2024-09-19.