Cyber Incident Victim: City of Helsinki
Date:
Apr 2024
Location:
Finland
Summary
The City of Helsinki experienced a significant data breach impacting its Education Division's network, where threat actors exploited an unpatched vulnerability in a remote access server to gain unauthorized entry. Compromised data included all personnel usernames and email addresses, personal IDs, addresses of students and guardians, and tens of millions of files from network drives—encompassing routine records alongside sensitive information such as medical certificates, special support needs, childcare fee details, and staff sick leave records. The breach potentially affected over 80,000 current and former students, guardians, and all city employees, with risks extending to individuals under non-disclosure restrictions. Authorities confirmed the attack was contained to the Education Division, though city-wide network monitoring was intensified, and inadequate security controls were cited as a contributing factor. Police investigations are ongoing, with the city prioritizing protective measures and collaboration with regulatory bodies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The City of Helsinki suffered a significant data breach impacting its Education Division, first detected on April 30, 2024, during overnight hours. Threat actors exploited an unpatched vulnerability in the division’s remote connection server, gaining unauthorized access to its computer network. Although a security patch for this vulnerability existed, it had not been installed due to inadequate security controls and maintenance procedures. The breach was immediately reported to Finnish police, the Data Protection Ombudsman, and Traficom’s Cybersecurity Centre, with an investigation launched to determine the full scope. Initial analysis confirmed the compromise of tens of millions of files stored on network drives, primarily containing routine personal data but also including highly sensitive documents. The City implemented containment measures, including enhanced monitoring across all municipal networks, though no evidence indicated lateral movement to other divisions. Executive Director Satu Järvenkallas emphasized the challenge of assessing precisely which data was accessed due to the breach’s scale, while Digital Director Hannu Heikkinen acknowledged procedural failures in patch management and security protocols.
The incident exposed Education Division data spanning multiple years, affecting current and former stakeholders. Compromised information included all city personnel usernames and email addresses, as well as personal identification numbers and addresses of students, guardians, and Education Division staff. Sensitive documents included early childhood education fee details, student welfare requests, medical certificates for study suspensions, special support needs documentation, and employee sick leave records. The City confirmed the potential exposure of data subject to non-disclosure restrictions. City Manager Jukka-Pekka Ujula stated the breach could impact over 80,000 students and guardians in the worst-case scenario, given historical service usage. Response efforts prioritized customer support channels, including a dedicated helpline and collaboration with mental health organizations like MIELI Finland. Forensic work revealed the attacker’s access vector but found no evidence of data exfiltration from other city departments. Police classified the incident as an aggravated data breach, with the City as the sole complainant, eliminating the need for individual victim reports. Ongoing investigations focus on attack attribution and residual risks, while the City continues public updates via its hel.fi/tietomurto portal.