Ville Tapion should have paid the blackmailer, says the expert

Psychotherapy center Vastaamo’s main hearing of the data breach began in November at the district court of Western Uusimaa in Espoo.

Data security expert and information writer Petteri Järvinen has followed the trial closely. Iltalehti asked Järvinen’s view of the Vastaamo hacker’s IT skills based on what has emerged in the trial.

A young hacker is suspected of the Vastaamo data breach Aleksanteri Kivimäki26. He has denied the charges.

The gates of the reception desk are “fully open”

According to Järvinen, no facts have been revealed in the trial that would indicate that the author was at least an exceptionally skilled hacker.

Before the Vastaamo data breach, the accused has reportedly scanned a huge number of web addresses looking for vulnerabilities and open databases.

– According to his own explanation, he intended to turn it into a business and sell information to cyber insurance sellers, among other things. This kind of scanning is commonplace and anyone can do it, says Järvinen.

However, in Järvinen’s words, the gates of the counter were “fully open”.

– The hacker didn’t have to pick the lock or come up with anything clever, because the door was wide open. Probably others also found the place, perhaps looking for credit card numbers or other valuables, but didn’t understand Finnish and therefore didn’t understand the meaning of the database. Apparently, the perpetrator didn’t immediately investigate the loot either, but realized the possibility of extortion only a couple of years later.

The story continues below the picture.

Järvinen describes the actual extortion as elementary.

– The author made a basic mistake when timing the publication of critical information. His own home directory would have been completely exposed if he hadn’t run out of disk space.

“No technical skills required”

The data security expert also considers blackmail to be clumsy. Victims were required to pay 200 euros worth of bitcoins immediately or 500 euros worth after a couple of days.

– Hijacking the health database and blackmailing individual customers is a really exceptional and bad strategy, because it is tedious for the perpetrator and condemned by everyone, says Järvinen.

According to Järvinen, simply blackmailing the company would not have sounded so bad.

– Vastaamo, which has grown aggressively, could well have afforded to pay 366,000 euros, Järvinen says, referring to the demand addressed to the company’s management for 40 bitcoins in exchange for not publishing information.

– In hindsight Ville Tapio (Vastaamo’s former CEO) would also have been worth doing so. Now Tapio lost everything, including his reputation, he downloads.

The story continues below the picture.

In April, the District Court of Helsinki sentenced Tapio to a three-month suspended prison term for a data protection offence. Tapio was considered to have known about the weaknesses in his company’s information security and the data breach, but instead of addressing them, covered up the matter.

The mistakes of the counter extortionist, Järvinen puts either long monitoring or tension. According to Järvinen, it was by no means a performance requiring skill.

– There is nothing in the activities that requires technical know-how or purposeful planning.

Overestimate yourself

According to Järvinen’s assessment, the accused not only overestimated his own, but also underestimated the police’s abilities. For example, the authorities managed to crack the accused’s 64-character password.

– I don’t know how the hell (the police managed to do it), Järvinen is amazed.

– In addition, backups from other servers containing information referring to the accused were found on the deleted servers. Credit card payments could be linked to him, and the police identified his fingerprints from the photo sent to Ylilauda. A picture of his grandparents’ cabin was found on one server, Järvinen lists the facts that came up in court.

– An experienced criminal would not fall for such tricks. The perpetrator has probably acted as a lone wolf in his criminal attempts, which of course increases the probability of human errors. Criminal cops can act more planned and carefully.

Hacking is not difficult

Järvinen says that basically anyone can become a hacker, because the tools are practically free and available to everyone.

According to Järvinen, becoming a hacker requires coding skills and an interest in the field, as well as patience.

– But it’s not difficult, he states.

Järvinen says that “easy targets” can be found by scanning the internet.

– Even my own network can receive thousands of access attempts per day, Järvinen says and says that on Thursday alone, almost 15,000 “knocks” were logged in the firewall log.

– Difficult objects then require multi-phase action, says Järvinen.

This kind of activity can include, for example, collecting phone numbers, setting up fake websites and sending luring messages.

– In short, hacking can be learned, but real cybercrime requires cooperation with others, says Järvinen.

A legal career is also possible

If you are interested in the search for information security gaps, Järvisen can suggest legal career paths.

– Information security companies hire experts in the field and you can always start selling your own expertise independently, Järvinen advises.

Money is also paid for discovered security holes, quite legally, through various bug bounty programs.

– Becoming a criminal is a conscious choice, for which you have to bear the consequences, warns Järvinen.

The prosecutor is seeking a prison sentence of years

In November, Aleksanteri Kivimäki was charged with more than 30,000 crimes in the district court of Länsi-Uusimaa. Criminal titles include aggravated data breach, aggravated extortion, and aggravated dissemination of information that violates private life.

The prosecutor demands a seven-year sentence for Kivimäki, who is in remand custody.

Kivimäki has denied all the charges, and according to his own words, he is not behind the data breach and extortion.