Hackers exploited an unpatched remote access server vulnerability in the Helsinki education division data breach to scour through records of 80,000 students, their guardians, and scores of administrative personnel.
The City of Helsinki detected the data breach on April 30, promptly initiating an investigation that found the hacker had gained access to student and personnel usernames and email addresses.
Hannu Heikkinen, the chief digital officer of the City of Helsinki, in a Monday press conference said, “Further investigation has shown that the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division.”
“Additionally, the perpetrator has also gained access to content on network drives belonging to the Education Division,” Heikkinen said.
“This is a very serious data breach, with possible, unfortunate consequences for our customers and personnel,” said City Manager Jukka-Pekka Ujula. “We regret this situation deeply.”
Helsinki Education Division Data Breach Linked to Remote Access Bug
The preliminary investigation found out that the Helsinki Education Division data breach was possible due to a vulnerability in a remote access server.
“The server had a vulnerability which the culprit was able to exploit to connect to the Education Division network.”
The city authorities did not reveal the name of the remote access server but said a hotfix patch was available at the time of exploitation, but why it was not installed on the server is currently unknown. “Our security update and device maintenance controls and procedures have been insufficient,” said Heikkinen.
The breach targeted an extensive group, with most of the network drive data – comprising of tens of millions of files – containing non-identifying information or ordinary personal data, minimizing potential abuse, according to the city authorities.
However, some files include confidential or sensitive personal data such as fees for early childhood education customers, children’s status information like information requests by student welfare or information about the need of special support and medical certificates regarding the suspension of studies for upper secondary students, and sick leave records of Education Division personnel.
The data breach also includes historical customer and personnel data. Meaning, even if an individual is not currently a customer or a member of staff at the Education Division, the hacker may still have accessed their data.
“Considering the number of users in the city’s services now and in previous years, in the worst case, this data breach affects over 80,000 students and their guardians,” Ujula said.
Satu Järvenkallas, executive director of the Education Division, said the authorities are currently unable to provide an accurate assessment of what data the hacker may have accessed as “the volume of data under investigation is significant.”
VPN Gateways, Network Edge Devices Need ‘Special Attention’
The City officials immediately notified the Data Protection Ombudsman, the Finnish Police, and Traficom’s National Cyber Security Centre after the discovery of the data breach at the Helsinki’s Education Division.
Traficom’s cybersecurity center acknowledged the notification and said it was supporting the City of Helsinki in investigating the case. “The data breach that targeted the City of Helsinki is exceptionally large for its size in the municipal sector. The case affects many Finns and causes great concern,” it said on platform X (formerly known as Twitter).
Critical vulnerabilities in network edge devices like this pose a risk to organizations’ cybersecurity, said Traficom’s NCSC. Exploiting the vulnerabilities of VPN products intended for establishing secure remote connections, it is also possible for parties outside the organization to gain access to the internal networks, “especially if other measures to limit the attack are not in use,” it added.
“Severe and easy-to-exploit vulnerabilities have been detected in the network edge devices of many major device manufacturers, such as VPN gateways, in the past six months,” said Samuli Bergström, the director of the cybersecurity center. “That is why it is important that special attention is paid to resources and expertise in organizations.”
A very recent example of one such VPN appliance abuse is the zero-day exploitation in Ivanti VPN products, Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways. Chinese state-backed hackers used two zero-day vulnerabilities in these products: an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) bug to compromise several organizations including MITRE.
“Reaction to the data breach has been quick and all the necessary resources are being and will be used on protective measures. This is the highest priority for the city’s senior management,” Ujula said.
“After the breach, we have taken measures to ensure that a similar breach is no longer possible,” Heikkinen added.
“We have not discovered evidence that the perpetrator would have accessed the networks or data of other divisions. However, we are monitoring all City of Helsinki networks closely.”
Information for affected individuals is available via the Traficom’s Cybersecurity Centre website, data breach customer service, crisis emergency services and MIELI Mental Health Finland.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.