Vastaamo data breach

Last updated
Vastaamo data breach
Date
  • November, 2018 (first intrusion)
  • March, 2019 (second penetration)
  • October 21, 2020 (became public)
LocationFinland
Typecyberattack, data breach, ransomware
TargetVastaamo
Suspects Aleksanteri Kivimäki  [ fi ]

Vastaamo was a Finnish private psychotherapy service provider founded in 2008. [1] On 21 October 2020, Vastaamo announced that its patient database had been hacked. Private information obtained by the perpetrators was used in an attempt to extort Vastaamo and, later, its clients. [2] The extorters demanded 40 bitcoins, roughly worth 450,000 euros at the time, and threatened to publish the records if the ransom was not paid. To add pressure to their demands, the extorters published hundreds of patient records a day on a Tor message board.

Contents

After extortion of the company failed, the extorters sent emails to the clients whose data they had obtained, demanding that they pay ransoms in order to avoid publication of their sensitive personal data. [3] [4] [5] [6] These ransom demands were sent to roughly 30,000 victims. [6] The company's security practices were found to be inadequate: the sensitive data was not encrypted and anonymized [7] [6] and the system root did not have a defined password. [8] [9] [10] The patient records were first accessed by intruders in November 2018, while the security flaws continued to exist until March 2019. [5]

In December 2021, the Finnish Data Protection Authority (DPA) fined Vastaamo 608,000 euros for violating the provisions of the General Data Protection Regulation (GDPR). [9] [10] This cyber-attack became the biggest criminal case in Finland history. It also turned into an international scandal and a cyber-attack unprecedented in its scope due to the tactic called double extortion applied by the cyber criminals. [11]

On October 28, 2022, the National Bureau of Investigation named the suspect behind the breach as 25-year-old Aleksanteri Julius Kivimäki. [12] [13] Kivimäki was charged in absentia at Helsinki District Court for aggravated data breach, aggravated attempted extortion, aggravated distribution of information infringing private life, blackmail, breach of confidentiality and falsification of evidence. [12] [14] An arrest warrant was filed with Europol and Interpol against Kivimäki stating that he was in Dubai. [14] [13] In 2015, Kivimäki, then a member of Lizard Squad, was found guilty on over 50,000 counts of computer crime. [13] [15]

Kivimäki was arrested in France on 3 February 2023. [16] He was extradited to Finland on 24 February. [17]

Background

Vastaamo, a Finnish company that provided private mental-health services to its patients, founded in 2008. Vastaamo.fi-logo.jpg
Vastaamo, a Finnish company that provided private mental-health services to its patients, founded in 2008.

Vastaamo was a Helsinki-based private psychotherapy center founded in 2008 that provided private mental-health services to its patients. [1] It was a firm with twenty-five therapy centers throughout the Nordic country of 5.5 million people. [18] Vastaamo operated as a sub-contractor for Finland's public health system. [19] Ville Tapio, ex-CEO of Vastaamo first heard from the hacker on 28 September 2020. He immediately notified various government authorities, including the police. [6] On 21 October 2020, Vastaamo announced that its confidential treatment records of approximately 36,000 psychotherapy patients and 400 employees [20] had been compromised. [11] The psychotherapy center received a ransom demand for 450,000 euros in Bitcoin. [19] The leaked patient database contained psychotherapy clients’ personal information, such as their full names, home addresses, email addresses, social security numbers, names of the clinics where they received treatments, and therapists’ and doctors’ notes from each session. [21] [6]

As the company resisted to pay the ransom, the hacker, using the alias “ransom_man,” [18] published the therapist session notes of at least 300 patients, [22] including politicians and police officers, [23] on a public forum through the Tor network. The therapist session notes contained information about adulterous relationships, suicide attempts and pedophilic thoughts. [6] The hacker approached victims of the security breach directly with extortion emails demanding ransoms of 200 euros paid in Bitcoin, with the amount increased to 500 euros unless paid within 24 hours. [19] A 10-gigabyte data file containing private notes between at least 2,000 patients and their therapists had appeared on websites on the “dark web.” [18] Patient information was stolen during two attacks, which started as early as 2018. This first intrusion on Vastaamo's database took place in November 2018, and the systems were penetrated between the end of November 2018 and March 2019. [19] [5] PTK Midco, a holding company owned by Intera Partners, a Finnish private equity firm, which acquired a 70% stake in Vastaamo in May 2019. The company has asked for inquiry into acquisition and also requested that its acquisition of the company be cancelled and the purchase price be returned for failure to disclose hacking. [23]

Ville Tapio was relieved of his duties as the chief executive of the psychotherapy center on 26 October 2020. [24] Vastaamo was declared bankrupt by the decision of the Helsinki District Court in February 2021. [10] In early March 2021, its staff and services were transferred to Verve, a provider of occupational welfare services. The company's patient database was not transferred over to Verve. [6]

Impact

The security breach has shaken societal trust in Finland's institutions, violated sensitive systems, and damaged faith in online social networks that are supposed to be properly secured. Thousands of victims have suffered anxiety, insecurity, and stress from this traumatic event, and the psychological effects from the trauma are long-lasting. [25] This created a national opportunity for public discussion about mental health issues. [25] Additionally, weak security of health-care systems has been brought to the surface. This hacking incident had a wide impact on healthcare industry's obligations to secure their networks and increase their accountability. [23] The security breach served as a wake-up call for Finland's cyber security who then increased preparation for digital attacks on medical healthcare providers and private education institutions. [26] [27] Focus on balancing availability of information and data governance [21] has increased along with investments in companies' computer security since the hacking incident occurred. As a result of the data breach, the Finnish Data Protection Authority (DPA) started taking the violations of the GDPR more seriously and increased enforcement activities. [10] The outcomes of investigations of the security breach, and also any sanctions established, now serve as a reference point to any future legal assessments. [23]

Responding to the hack

Immediately following the hack, the cabinets from the Finnish government held their regular Wednesday meeting to address cybersecurity issues, create new legislation regarding data security and identity thefts, and promise emergency support for the victims. [26] [28] More than 22,600 victims of blackmail in 2020 have visited The Victim Support Finland (RIKU), an organization that provides counseling and support to victims of crimes. [25] Various Finnish organizations have quickly established ways to help the victims, including direct dial-in numbers to churches and therapy services. [19] Organizations that provide victim support services include Finnish Red Cross, Mental Health Finland, Victim Support Finland and the Evangelical Lutheran Church of Finland. [29] Additionally, many companies working with social security numbers and debt collecting had taken action to help the victims whose identities have been stolen. [28] In order to rebuild public trust in the government and authorities, the Finnish central government requested that government agencies make sure the processing and handling of personal information is secure to minimize the leakage of personal data. [29] Additionally, ministries conducted reviews on what they can do better within their own departments and how they can assure the public about the security of their personal data. [29] The Finland's National Bureau of Investigation introduced an unprecedented Finnish criminal code, where a person can be found guilty of the privacy violation of the data subject when they process personal data, either intentionally or through gross negligence, and cause damage or significant inconvenience to the data subject. [23] Furthermore, the Finnish government accelerated legislation that allowed its citizens to change their personal identity codes when there is a data breach that would involve high risk of identity theft. [23]

In February 2023, 25-year-old Aleksanteri Kivimäki was extradited to Finland from France. He has since been kept in custody over crimes related to the hacking of patient records from the Vastaamo psychotherapy centre. [30]

In April 2023, Helsinki District Court sentenced the ex-CEO of Vastaamo, Ville Tapio, to a three-month suspended sentence. He was found guilty of a data protection crime mandated in the General Data Protection Regulation (GDPR). [31]

In October 2023, Aleksanteri Kivimäki was charged with stealing records of psychotherapy patients and over 21,000 counts of extortion. [32] His trial was scheduled to start on 13 November. [32]

In April 2024 Aleksanteri Kivimäki was sentenced to six years and three months in prison. [33] Author and information technology consultant Petteri Järvinen  [ fi ] has used the relatively light sentence as proof that cybercrime often has no serious consequences for the perpetrator in Finland, even if the victims suffer from its results for the rest of their lives. [34]

See also

Related Research Articles

<span class="mw-page-title-main">Extortion</span> Criminal offense of obtaining benefit through coercion

Extortion is the practice of obtaining benefit through coercion. In most jurisdictions it is likely to constitute a criminal offence; the bulk of this article deals with such cases. Robbery is the simplest and most common form of extortion, although making unfounded threats in order to obtain an unfair business advantage is also a form of extortion.

A black hat is a computer hacker who violates laws or ethical standards for nefarious purposes, such as cybercrime, cyberwarfare, or malice. These acts can range from piracy to identity theft. A Black hat is often referred to as a "cracker".

Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Teivo Teivainen</span> Finnish political scientist (born 1965)

Teivo Teivainen is professor of World Politics at the University of Helsinki. Having received his PhD in 2000 at the University of Helsinki, Teivainen became the founding director of the Program on Democracy and Global Transformation at the National University of San Marcos, in Lima, Peru in 2003.

<span class="mw-page-title-main">Sextortion</span> Non-physical forms of coercion to extort sexual favors from the victim

Sextortion employs non-physical forms of coercion to extort sexual favors from the victim. Sextortion refers to the broad category of sexual exploitation in which abuse of power is the means of coercion, as well as to the category of sexual exploitation in which threatened release of sexual images or information is the means of coercion.

<span class="mw-page-title-main">Laura Räty</span>

Laura Kaarina Räty is a Finnish politician, former Minister of Social Affairs and Health and a business director at the Finnish private hospital corporate group Terveystalo.

Lizard Squad Hacker group

Lizard Squad was a black hat hacking group, mainly known for their claims of distributed denial-of-service (DDoS) attacks primarily to disrupt gaming-related services.

<span class="mw-page-title-main">Jyväskylä library stabbing</span> Stabbing in Finland

The Jyväskylä library stabbing took place on January 30, 2013, when members of the Finnish Resistance Movement, a branch of the Nordic Resistance Movement, had organized a demonstration in the city of Jyväskylä, Finland, and protesters assaulted three individuals as a group.

Bug poaching is a cyberextortion tactic in which a hacker breaks into a corporate network and creates an analysis of the network’s private information and vulnerabilities. The hacker will then contact the corporation with evidence of the breach and demand ransom.

<span class="mw-page-title-main">Cannabis in Finland</span>

Cannabis in Finland is illegal. The 50th chapter of the Criminal Code criminalises all dealings with illegal narcotics, including the production, import, transport, sale, possession and use of cannabis.

<span class="mw-page-title-main">Sanna Marin</span> Prime Minister of Finland from 2019 to 2023

Sanna Mirella Marin is a Finnish former politician who served as prime minister of Finland from 2019 to 2023 and as the leader of the Social Democratic Party of Finland (SDP) from 2020 to 2023. She was a Member of Parliament from 2015 to 2023. She was re-elected as member of parliament in April 2023 but resigned to become a strategic adviser on political leaders' reform programmes in the Tony Blair Institute in September 2023.

<span class="mw-page-title-main">2017 Turku attack</span> Terrorist attack in Turku, Finland

The 2017 Turku attack took place on 18 August 2017 at around 16:02–16:05 (UTC+3) when 10 people were stabbed in central Turku, Southwest Finland. Two women were killed in the attack and eight people sustained injuries.

The Dark Overlord is an international hacker organization which garnered significant publicity through cybercrime extortion of high-profile targets and public demands for ransom to prevent the release of confidential or potentially embarrassing documents.

In December 2018, it transpired that adult men, all of whom had arrived in Finland as asylum seekers or refugees, were grooming, and raping and otherwise sexually abusing, girls under 15 years of age in Oulu, Finland. One victim ended up committing suicide. The Oulu Police Department warned young girls and parents, while emphasizing that "not all people with foreign backgrounds are dishonest or criminals".

Events from the year 2020 in Finland

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

BlackCat, also known as ALPHV and Noberus, is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.

References

  1. 1 2 "Psykoterapiakeskus Vastaamo Oy | Yrityksen tiedot". IS Taloussanomat (in Finnish). Retrieved 2020-10-28.
  2. Teivainen, Aleksi (2021-01-06). "HS: Owner of Psychotherapy Centre Vastaamo asks for inquiry into acquisition". Helsinki Times. Retrieved 2022-03-31.
  3. "Psychotherapy centre's database hacked, patient info held ransom". Yle Uutiset. 21 October 2020. Retrieved 2020-10-28.
  4. Kleinman, Zoe (2020-10-26). "Therapy patients blackmailed for cash after clinic data breach". BBC News. Retrieved 2020-10-28.
  5. 1 2 3 Sipilä, Jarkko (2020-10-27). "Therapy patients in Finland blackmailed after data breach". CNN. Retrieved 2020-10-28.
  6. 1 2 3 4 5 6 7 Ralston, William. "They Told Their Therapists Everything. Hackers Leaked It All". Wired. ISSN   1059-1028 . Retrieved 2022-02-23.
  7. "Tietoturva | Terapiapotilaisiin kohdistunut tietomurto on voinut vaarantaa tuhansien ihmisten tietosuojan, kyseessä on täysin "poikkeuksellinen tapahtuma"". Helsingin Sanomat (in Finnish). 2020-10-22. Retrieved 2020-10-24.
  8. "Kiristäjä julkaisi suomalaisten arkaluontoisia terapiakeskusteluja – vaatii 450 000:ta euroa tai jatkoa seuraa". Ilta-Sanomat (in Finnish). 2020-10-21. Retrieved 2020-10-24.
  9. 1 2 "Psykoterapiakeskus Vastaamolle seuraamusmaksu tietosuojarikkomuksista" (in Finnish). 2021-12-16.
  10. 1 2 3 4 "Administrative fine imposed on psychotherapy centre Vastaamo for data protection violations | Data Protection Ombudsman's Office". Tietosuojavaltuutetun toimisto. Retrieved 2022-03-29.
  11. 1 2 Alexis (2020-12-22). "The cyber attack that rocked the nation". Helsinki Times. Retrieved 2022-03-31.
  12. 1 2 "Tällainen on Julius Kivimäki, jota epäillään Vastaamon tietomurrosta". Iltalehti (in Finnish). Retrieved 2022-11-21.
  13. 1 2 3 "Court detains Finnish man in absentia as suspect in psychotherapy centre data hacks". Yle News. 2022-10-28. Retrieved 2022-11-21.
  14. 1 2 "Etsintäkuulutettu Julius Kivimäki kertoo elinoloistaan HS:lle: väittää omistavansa rahastoihin liittyvän yrityksen". Ilta-Sanomat (in Finnish). 2022-11-13. Retrieved 2022-11-21.
  15. "Hacker Charged With Extorting Online Psychotherapy Service". Krebs on Security. 3 November 2022. Retrieved 2022-11-21.
  16. "French police arrest Finnish psychotherapy centre hacking, extortion suspect". Yle.fi. Yle. 3 February 2023. Retrieved 3 February 2023.
  17. "Vastaamon tietomurrosta epäilty Aleksanteri Kivimäki on tuotu Suomeen" (in Finnish). MTV. 2023-02-25. Retrieved 2023-02-28.
  18. 1 2 3 Helsinki, AFP in (2020-10-26). "'Shocking' hack of psychotherapy records in Finland affects thousands". the Guardian. Retrieved 2022-03-31.
  19. 1 2 3 4 5 "Finland shocked by therapy center hacking, client blackmail". AP NEWS. 2021-04-20. Retrieved 2022-03-31.
  20. "Ransomware Moves from 'Economic Nuisance' to National Security Threat". VOA. 22 May 2021. Retrieved 2022-03-31.
  21. 1 2 Teivainen, Aleksi (2020-10-23). "Hacking may have compromised privacy of thousands of psychotherapy clients in Finland". Helsinki Times. Retrieved 2022-03-31.
  22. "Vastaamo Breach: Hackers Blackmailing Psychotherapy Patients". threatpost.com. 26 October 2020. Retrieved 2022-03-31.
  23. 1 2 3 4 5 6 "A dying man, a therapist and the ransom raid that shook the world". Wired UK. ISSN   1357-0978 . Retrieved 2022-04-11.
  24. Teivainen, Aleksi (2020-10-27). "IS: Vastaamo fires CEO, saying he knew about hacking for 18 months". Helsinki Times. Retrieved 2022-03-31.
  25. 1 2 3 "Extortion of therapy patients in Finland shakes culture of privacy". Christian Science Monitor. 2021-03-19. ISSN   0882-7729 . Retrieved 2022-03-29.
  26. 1 2 Milne, Richard (2020-10-26). "Finland police hunt blackmailer who hacked psychotherapy centre's records". Financial Times. Retrieved 2022-03-29.
  27. "Vastaamo Breach: Hackers Blackmailing Psychotherapy Patients". threatpost.com. 26 October 2020. Retrieved 2022-03-29.
  28. 1 2 "Vastaamo Data Breach: What We Know So Far". Finland Today | News in English | finlandtoday.fi. October 28, 2020. Retrieved 2022-04-11.
  29. 1 2 3 Teivainen, Aleksi (2020-10-26). "Ohisalo: Finnish government to talk about hacking on Wednesday". Helsinki Times. Retrieved 2022-03-29.
  30. "Aleksanteri Kivimäki remanded into custody over Vastaamo hack". Yle Uutiset. 28 February 2023. Retrieved 2023-04-19.
  31. "Hacked therapy centre's ex-CEO gets 3-month suspended sentence". Yle Uutiset. 18 April 2023. Retrieved 2023-04-19.
  32. 1 2 "Man accused of Finland psychotherapy hack charged with 21,000 counts of extortion". The Guardian. Agence France-Presse. 2023-10-18. Retrieved 2024-03-09.
  33. "Tällaisen tuomion Julius Kivimäki sai". Ilta-Sanomat (in Finnish). 30 April 2024. Retrieved 2024-04-30.
  34. "It-rikos kannattaa". Tivi (in Finnish). 7 June 2024. Retrieved 2024-09-19.