The police’s preliminary investigation material reveals what was wrong with Vastaamo’s information security.
Psykoterapiakeskus Vastaamo’s data security had several and significant deficiencies. In the preliminary investigation of the Central Criminal Police, it was found that an external attacker took advantage of data security flaws, and thus obtained the sensitive patient data of tens of thousands of Finns.
From the conversations of the employees of the reception desk, it is clear how they already updated in 2018 that information security was “just right”.
– We’re in a fucking mess, commented in a Skype conversation in 2018.
The counter was probably hacked already in 2018, but the police were not notified of the crime until 2020.
According to the prosecutor, there was no investment in Vastaamo’s information security. Police preliminary investigation material
After this, the cyber security consulting company Nixu investigated Vastaamo’s information security. It was revealed that the company’s database username and password had been in use since 2012. The password for the username “reception” was sjuka66, while there was no password for the user “root”.
The general guideline for a secure password is that it is as long as possible, contains upper and lower case letters, numbers and special characters, and that it is changed often enough.
At least the CEO Ville Tapio had access to patient data with their credentials, although according to the self-monitoring plan this should not have been the case.
The patient database contained the customers’ contact information, personal information and appointment notes. The different information of individual customers could be connected to each other.
A hacker took Vastaamo’s patient information probably already in 2018. In March 2019, an outsider visited the database again. At that time, patient information was messed up or destroyed, and a blackmail message was left at Vastaamo.
Blackmail messages
Such a blackmail message was left instead of patient information. Police preliminary investigation material
Together with weak passwords and data security that was already on the back burner, one significant reason for the data breach was an open communication port.
Normally, patient information was behind a closed connection, but at the end of 2017, one of the IT employees asked to open the communication port. The gate was open for a year and a half.
The gate was closed in March 2019. Two days later, Vastaamo found out that an outside party had tampered with patient data and sent the first blackmail message.
The next time Tapio and two IT employees received a blackmail message was in September 2020. The blackmailer threatened to publish the information on the internet if Vastaamo did not agree to the blackmailer’s demands.
The counter filed a criminal complaint. Soon, the sensitive information of more than 30,000 Finns was published on the dark tor network.
The former CEO of Vastaamo, Ville Tapio, is accused of a data protection crime. Antti Nikkanen
The prosecutor demands a prison sentence for former CEO Ville Tapio for a data protection crime. Regarding the two IT employees, the prosecutor already made a decision not to press charges.
The data breach itself is suspected Aleksanteri Kivimäkiwho has previously used the first name Julius. The criminal investigation is ongoing.
Iltalehti exceptionally publishes the identities of the suspects already during the criminal process due to the socially significant nature of the suspected crime.