Personal data that came into the wrong hands forced 76-year-old Kaisa’s fierce paper war.
At the end of January Reed76, found a white envelope in its inbox. Inside it was a message from Valio’s pension fund and the insurance company between Valio. The message stated that Kaisa’s name and personal identification number had ended up in the wrong hands as a result of the burglary.
Kaisa’s first reaction was suspicion. He had never worked for Valio. Was it a scam?
Fast googling revealed that Valio had really been a burglary. The news said that Murto had happened through the company’s IT partner Vincit. The attacker had broken into a Vincit employee’s home computer and received VPN IDs.
The IDs accidentally synchronized from the machine through the password storage of the browser, allowing the attacker access to Valio’s registry information. The register contained information of 70,000 people. According to newspaper reports, more than 5,000 people had been caught by burglary.
– I was one of them.
The idea seemed strange because Kaisa had never worked for Valio.
-Then I remembered that in 1972 I had worked in Tampere in the Laboratory of Milk-Pirkka, a company called Milk-Pirkka, which focused on the quality control of dairy products. I checked online that the company still exists, but under Valio.
Personal data of more than half a century had been transmitted to new digital information systems without knowing the lawyer.
– I understand that insurance and pensions are statutory. But I was working there for a month and a half. Of course, I don’t get a pension from Valio. I think my information could be removed from their register, Kaisa says.
The letter justified the retention of data by legislation: “The Valio Pension Fund and Valio’s insurance company process and store personal data for the management of employment law and occupational disease insurance, statutory occupational and occupational disease insurance, and to the extent necessary to maintain the legislation.”
The details of the burglary were not stated in the letter. They survived the news. According to Kaisa, there was one surprising feature of the events.
-Valio’s IT partner Vincit announced that they had been injured, but it sounds pretty crazy. I would have imagined that they had more robust security arrangements.
Paper war
There was no other option for Kaisa but to start taking the security measures identified by the Valio letter to prevent identity theft.
That night, he made a voluntary credit ban on the tax administration so that he could not make online purchases or apply for instant or credit cards in his name. After that, the address had to make the address of the move to the post office so that no outsider could report in his or her name.
The Digital and Population Information Agency had to be banned to disclose contact information so that the social security number that came to the wrong hands could not be combined with other personal data.
It was the most difficult ban on the register of registration to the National Board of Patents and Registration, as the pages of the authority had fallen. However, Kaisa found a form she printed and signed. He then made a PDF file from the document, which was sent to the authority in a secure email.
– The ban on registration protects that no outsider can, unknowingly, declare me as a responsible person in the company or community, Kaisa says.
The next day, he called his acquaintance who had worked as a security expert at Nokia.
– He called for a ban on Traficom so that no outsider could get information about my vehicle.
A friend joked that at such times it would be safest to deposit the money under the pillows and get a pistol.
– I may not dare to get a pistol when my finger easily slips already on the computer keyboard. But I have been seriously wondering how older people, in particular, do well in security matters. After all, I still do well in the digital world, Kaisa says.
Once the other precautions were taken, Kaisa still agreed with her phone operator with an additional password that will provide additional protection for authentication in the future. Kaisa does not appear in this story under her own name, but her identity is known to Kauppalehti.
Pension information must be kept
Kauppalehti is aware of another case in which a person who had been on a summer job on a familiar farm more than 50 years ago was the victim of Valio’s burglary. He had never known he had ever been employed by Valio.
Apparently, through the Dairy Cooperative, however, individual dairy farms – and those who worked on them – have been clients of Valio’s pension fund.
But is it really that the pension company is allowed to maintain personal information over 50 years old in its register?
– Yes. Long retention periods come from pension legislation, says the Leader of Laws Karoliina Kiuru From the Finnish Center for Pensions.
The law requires preserving data even after the death of a person, as work can also affect the widow’s pension.
Another question is why a company like Valio has its own pension fund at all. Corresponding arrangements are beginning to be the curiosity of the pension system. According to the Finnish Center for Pensions, private checks like Valio have less than one percent of all employed pensioners.
Valion is one of the four remaining pension funds. In addition, the pharmacies have their own cash, the forest industry has a shoot and a truck in the Reka Pension Fund.
In addition to retirement funds, there are six pension funds in Finland that manage statutory pension security for their clients. At the turn of the millennium, there were 37 foundations.
Valio’s case is being investigated
Valio’s fracture has also employed the office of the Data Protection Ombudsman.
– In the case of a breakdown on the Valio information network, the Office of the Data Protection Ombudsman will determine whether all the companies that have been subject to a burglary have complying with their obligations on data protection legislation and, for example Heljä-Tuulia yard.
The investigation is still ongoing and he does not comment on an unfinished issue.
– If it turns out that there are shortcomings in the definition of retention periods or that information has been retained for a long time, measures may be taken.
According to the yard, the Data Protection Ombudsman has also received contacts from individuals about long retention times.