The employees of the IT department of the counter accused Ville Tapio during police interrogations of indifference to data protection.
In the preliminary investigation, it was said that Vastaamo’s ex-CEO did not care about information security. OUTI LAKE
- The prosecutor’s documents contain harsh claims about Vastaamo’s ex-CEO.
- According to the allegations, Ville Tapio completely under-resourced information security.
- External experts found serious deficiencies in Vastaamo’s information security.
Based on the documents released from the Vastaamo case, the company pushed data protection aside in favor of profit-seeking.
In the interrogations carried out during the preliminary investigation by the police, it appeared that Vastaamo did not invest much in IT resources. The main focus was on expanding the company and establishing new offices.
The ex-CEO of Vastaamo was heard as a suspect in the preliminary investigation Ville Tapio in addition, two men who worked in Vastaamo’s IT department. As far as they were concerned, the prosecutor made the decisions not to prosecute.
During police interrogations, they told about insufficient resources and accused Tapio of being indifferent to data protection.
Data security was not managed
The views of IT employees in the front office about limited resources are confirmed by external experts. For example, according to the Cybersecurity Center, taking care of the information security of the Counter would have required the work of at least 5–6 IT professionals.
However, only two people worked at the reception desk. Based on the preliminary investigation, their skills were insufficient in relation to the requirements of the job. Their work contracts were related to coding and development rather than information security.
The employee who was in charge of data protection had not received any training for his job, and his duties did not include managing technical data security, but ensuring that the company complies with the data protection regulation. Based on the preliminary investigation, the training was dependent on the employees’ own activity.
According to a person who was part of the company’s information security committee, Tapio considered data protection training to be a misuse of employees’ time. Although, according to him, Tapio listened to the concerns, he did nothing concrete to correct them.
Data security with a zero hour contract
According to the police, there was no actual budget in the IT department. The employees did a lot of work on a zero-hours contract, and they were commissioned only when necessary. The lack of resources was also visible in the daily life of Vastaamo’s employees as a delay of months in handling work tasks.
Both employees heard as suspects said that they had expressed their concerns about insufficient information security and that they had made procurement proposals to Tapio to improve it. However, they were not approved.
According to the CEO of the company that provided Vastaamo with server services, Vastaamo’s budgets were far too low. The budget was small and it was stretched using free tools.
For example, the virtualization platform used by the company was a pirated version.
The story continues after the picture
Serious deficiencies were found in the information security of the reception desk for a long time. Karoliina Vuorenmäki
Tapio concealed the first extortion
Based on the decisions not to prosecute, the most serious accusations against Tapio are related to how he acted after Vastaamo was the target of a blackmail message on March 15, 2020. An outside party was able to log into the database without permission and destroy it.
Instead, a blackmail message was left, demanding virtual currency in exchange for restoring the database.
However, the data security breach was not reported to the authorities, instead the reason for the data loss was reported as “the crash of the information system”. The matter was only clarified later in Nixu Corporation’s investigation, because there were traces of the destruction of the netflow data related to the extortion.
According to the IT employees, the order to hide the transactions came from Tapio. Another IT employee said that he had destroyed all the netflow data related to the data breach on Tapio’s order. The other suspect, on the other hand, said that Tapio had decided that there was no reason to report the matter to the authorities.
According to Ville Tapio, he only found out about what happened in October 2020. According to him, in fact the IT department had hidden what happened from him.
Passwords are also incomplete
In the investigation carried out by Nixu Corporation, several deficiencies were found in Vastaamo’s information security, which endangered the information security of patients. The most significant and serious data security breaches occurred in the years 2017–2019. The communication port of the counter’s database, which should be closed from outside connections, was open to the internet from November 26, 2017 to March 13, 2019.
The password policies of the Reception Center have also been inadequate. KRP’s IT investigation revealed that the user ID “root” in the patient register had no password at all.
On 28 September 2020, Ville Tapio and Vastaamo’s IT employees received a blackmail message via e-mail, in which the blackmailer said that he had taken possession of Vastaamo’s entire patient register. The extortionist threatened to publish the information on the internet, unless Vastaamo agreed to the extortionist’s demands.
The extortionist sent three e-mails, in connection with which he e-mailed samples from the database from 2012–2017. In his last message, the extortionist announced that he had downloaded the information a few months ago directly from the database containing Vastaamo’s patient information.
The matter was reported to the authorities at this stage. Later, the blackmailer carried out his threat and leaked the information online.
The prosecutor announced today that he has filed charges against the company’s former CEO, Ville Tapio.