The City of Helsinki is investigating a data breach in its education division, which it discovered in late April 2024, impacting tens of thousands of students, guardians, and personnel.
Though information about the attack was circulated on May 2, 2024, the city’s authorities shared more details in a press conference earlier today.
According to the details disclosed today, an unauthorized actor gained access to a network drive after exploiting a vulnerability in a remote access server.
While the officials did not state what remote access product was targeted, they shared that a security patch for the vulnerability was available at the time of the attack but had not been installed.
The accessed drive contained tens of millions of files, most devoid of personally identifiable information (PII). Still, some included usernames, email addresses, personal IDs, and physical addresses.
Additionally, the exposed drive contained information about fees, childhood education and care, children’s status, welfare requests, medical certificates, and other highly sensitive information.
“This is a very serious data breach, with possible, unfortunate consequences for our customers and personnel. We regret this situation deeply,” commented city manager Jukka-Pekka Ujula.
“Considering the number of users in the city’s services now and in previous years, in the worst case, this data breach affects over 80,000 students and their guardians.”
“The breach also affects all of our personnel, as the perpetrator gained access to all personnel usernames and email addresses.”
Due to the large size of the exposed data, investigating what has been compromised is expected to take some time.
Meanwhile, the City of Helsinki has notified the Data Protection Ombudsman, the Police, and Traficom’s National Cyber Security Centre accordingly.
At this stage, those impacted people do not need to contact the police but are requested to report any suspicious communications to “kaskotietoturvatilanne@hel.fi” or “+358 9 310 27139” and follow the advice provided by Traficom to data breach victims.
By the time of writing this, no ransomware groups have assumed responsibility for the attack, so the perpetrators remain unknown.