Date |
|
---|---|
Location | Finland |
Type | cyberattack, data breach, ransomware |
Target | Vastaamo |
Suspects | Aleksanteri Kivimäki |
Vastaamo was a Finnish private psychotherapy service provider founded in 2008. [1] On 21 October 2020, Vastaamo announced that its patient database had been hacked. Private information obtained by the perpetrators was used in an attempt to extort Vastaamo and, later, its clients. [2] The extorters demanded 40 bitcoins, roughly worth 450,000 euros at the time, and threatened to publish the records if the ransom was not paid. To add pressure to their demands, the extorters published hundreds of patient records a day on a Tor message board.
After extortion of the company failed, the extorters sent emails to the clients whose data they had obtained, demanding that they pay ransoms in order to avoid publication of their sensitive personal data. [3] [4] [5] [6] These ransom demands were sent to roughly 30,000 victims. [6] The company's security practices were found to be inadequate: the sensitive data was not encrypted and anonymized [7] [6] and the system root did not have a defined password. [8] [9] [10] The patient records were first accessed by intruders in November 2018, while the security flaws continued to exist until March 2019. [5]
In December 2021, the Finnish Data Protection Authority (DPA) fined Vastaamo 608,000 euros for violating the provisions of the General Data Protection Regulation (GDPR). [9] [10] This cyber-attack became the biggest criminal case in Finland history. It also turned into an international scandal and a cyber-attack unprecedented in its scope due to the tactic called double extortion applied by the cyber criminals. [11]
On October 28, 2022, the National Bureau of Investigation named the suspect behind the breach as 25-year-old Aleksanteri Julius Kivimäki. [12] [13] Kivimäki was charged in absentia at Helsinki District Court for aggravated data breach, aggravated attempted extortion, aggravated distribution of information infringing private life, blackmail, breach of confidentiality and falsification of evidence. [12] [14] An arrest warrant was filed with Europol and Interpol against Kivimäki stating that he was in Dubai. [14] [13] In 2015, Kivimäki, then a member of Lizard Squad, was found guilty on over 50,000 counts of computer crime. [13] [15]
Kivimäki was arrested in France on 3 February 2023. [16] He was extradited to Finland on 24 February. [17]
Vastaamo was a Helsinki-based private psychotherapy center founded in 2008 that provided private mental-health services to its patients. [1] It was a firm with twenty-five therapy centers throughout the Nordic country of 5.5 million people. [18] Vastaamo operated as a sub-contractor for Finland's public health system. [19] Ville Tapio, ex-CEO of Vastaamo first heard from the hacker on 28 September 2020. He immediately notified various government authorities, including the police. [6] On 21 October 2020, Vastaamo announced that its confidential treatment records of approximately 36,000 psychotherapy patients and 400 employees [20] had been compromised. [11] The psychotherapy center received a ransom demand for 450,000 euros in Bitcoin. [19] The leaked patient database contained psychotherapy clients’ personal information, such as their full names, home addresses, email addresses, social security numbers, names of the clinics where they received treatments, and therapists’ and doctors’ notes from each session. [21] [6]
As the company resisted to pay the ransom, the hacker, using the alias “ransom_man,” [18] published the therapist session notes of at least 300 patients, [22] including politicians and police officers, [23] on a public forum through the Tor network. The therapist session notes contained information about adulterous relationships, suicide attempts and pedophilic thoughts. [6] The hacker approached victims of the security breach directly with extortion emails demanding ransoms of 200 euros paid in Bitcoin, with the amount increased to 500 euros unless paid within 24 hours. [19] A 10-gigabyte data file containing private notes between at least 2,000 patients and their therapists had appeared on websites on the “dark web.” [18] Patient information was stolen during two attacks, which started as early as 2018. This first intrusion on Vastaamo's database took place in November 2018, and the systems were penetrated between the end of November 2018 and March 2019. [19] [5] PTK Midco, a holding company owned by Intera Partners, a Finnish private equity firm, which acquired a 70% stake in Vastaamo in May 2019. The company has asked for inquiry into acquisition and also requested that its acquisition of the company be cancelled and the purchase price be returned for failure to disclose hacking. [23]
Ville Tapio was relieved of his duties as the chief executive of the psychotherapy center on 26 October 2020. [24] Vastaamo was declared bankrupt by the decision of the Helsinki District Court in February 2021. [10] In early March 2021, its staff and services were transferred to Verve, a provider of occupational welfare services. The company's patient database was not transferred over to Verve. [6]
The security breach has shaken societal trust in Finland's institutions, violated sensitive systems, and damaged faith in online social networks that are supposed to be properly secured. Thousands of victims have suffered anxiety, insecurity, and stress from this traumatic event, and the psychological effects from the trauma are long-lasting. [25] This created a national opportunity for public discussion about mental health issues. [25] Additionally, weak security of health-care systems has been brought to the surface. This hacking incident had a wide impact on healthcare industry's obligations to secure their networks and increase their accountability. [23] The security breach served as a wake-up call for Finland's cyber security who then increased preparation for digital attacks on medical healthcare providers and private education institutions. [26] [27] Focus on balancing availability of information and data governance [21] has increased along with investments in companies' computer security since the hacking incident occurred. As a result of the data breach, the Finnish Data Protection Authority (DPA) started taking the violations of the GDPR more seriously and increased enforcement activities. [10] The outcomes of investigations of the security breach, and also any sanctions established, now serve as a reference point to any future legal assessments. [23]
Immediately following the hack, the cabinets from the Finnish government held their regular Wednesday meeting to address cybersecurity issues, create new legislation regarding data security and identity thefts, and promise emergency support for the victims. [26] [28] More than 22,600 victims of blackmail in 2020 have visited The Victim Support Finland (RIKU), an organization that provides counseling and support to victims of crimes. [25] Various Finnish organizations have quickly established ways to help the victims, including direct dial-in numbers to churches and therapy services. [19] Organizations that provide victim support services include Finnish Red Cross, Mental Health Finland, Victim Support Finland and the Evangelical Lutheran Church of Finland. [29] Additionally, many companies working with social security numbers and debt collecting had taken action to help the victims whose identities have been stolen. [28] In order to rebuild public trust in the government and authorities, the Finnish central government requested that government agencies make sure the processing and handling of personal information is secure to minimize the leakage of personal data. [29] Additionally, ministries conducted reviews on what they can do better within their own departments and how they can assure the public about the security of their personal data. [29] The Finland's National Bureau of Investigation introduced an unprecedented Finnish criminal code, where a person can be found guilty of the privacy violation of the data subject when they process personal data, either intentionally or through gross negligence, and cause damage or significant inconvenience to the data subject. [23] Furthermore, the Finnish government accelerated legislation that allowed its citizens to change their personal identity codes when there is a data breach that would involve high risk of identity theft. [23]
In February 2023, 25-year-old Aleksanteri Kivimäki was extradited to Finland from France. He has since been kept in custody over crimes related to the hacking of patient records from the Vastaamo psychotherapy centre. [30]
In April 2023, Helsinki District Court sentenced the ex-CEO of Vastaamo, Ville Tapio, to a three-month suspended sentence. He was found guilty of a data protection crime mandated in the General Data Protection Regulation (GDPR). [31]
In October 2023, Aleksanteri Kivimäki was charged with stealing records of psychotherapy patients and over 21,000 counts of extortion. [32] His trial was scheduled to start on 13 November. [32]
In April 2024 Aleksanteri Kivimäki was sentenced to six years and three months in prison. [33] Author and information technology consultant Petteri Järvinen has used the relatively light sentence as proof that cybercrime often has no serious consequences for the perpetrator in Finland, even if the victims suffer from its results for the rest of their lives. [34]
Extortion is the practice of obtaining benefit through coercion. In most jurisdictions it is likely to constitute a criminal offence; the bulk of this article deals with such cases. Robbery is the simplest and most common form of extortion, although making unfounded threats in order to obtain an unfair business advantage is also a form of extortion.
A black hat is a computer hacker who violates laws or ethical standards for nefarious purposes, such as cybercrime, cyberwarfare, or malice. These acts can range from piracy to identity theft. A Black hat is often referred to as a "cracker".
Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
Teivo Teivainen is professor of World Politics at the University of Helsinki. Having received his PhD in 2000 at the University of Helsinki, Teivainen became the founding director of the Program on Democracy and Global Transformation at the National University of San Marcos, in Lima, Peru in 2003.
Sextortion employs non-physical forms of coercion to extort sexual favors from the victim. Sextortion refers to the broad category of sexual exploitation in which abuse of power is the means of coercion, as well as to the category of sexual exploitation in which threatened release of sexual images or information is the means of coercion.
Laura Kaarina Räty is a Finnish politician, former Minister of Social Affairs and Health and a business director at the Finnish private hospital corporate group Terveystalo.
Lizard Squad was a black hat hacking group, mainly known for their claims of distributed denial-of-service (DDoS) attacks primarily to disrupt gaming-related services.
The Jyväskylä library stabbing took place on January 30, 2013, when members of the Finnish Resistance Movement, a branch of the Nordic Resistance Movement, had organized a demonstration in the city of Jyväskylä, Finland, and protesters assaulted three individuals as a group.
Bug poaching is a cyberextortion tactic in which a hacker breaks into a corporate network and creates an analysis of the network’s private information and vulnerabilities. The hacker will then contact the corporation with evidence of the breach and demand ransom.
Cannabis in Finland is illegal. The 50th chapter of the Criminal Code criminalises all dealings with illegal narcotics, including the production, import, transport, sale, possession and use of cannabis.
Sanna Mirella Marin is a Finnish former politician who served as prime minister of Finland from 2019 to 2023 and as the leader of the Social Democratic Party of Finland (SDP) from 2020 to 2023. She was a Member of Parliament from 2015 to 2023. She was re-elected as member of parliament in April 2023 but resigned to become a strategic adviser on political leaders' reform programmes in the Tony Blair Institute in September 2023.
The 2017 Turku attack took place on 18 August 2017 at around 16:02–16:05 (UTC+3) when 10 people were stabbed in central Turku, Southwest Finland. Two women were killed in the attack and eight people sustained injuries.
The Dark Overlord is an international hacker organization which garnered significant publicity through cybercrime extortion of high-profile targets and public demands for ransom to prevent the release of confidential or potentially embarrassing documents.
In December 2018, it transpired that adult men, all of whom had arrived in Finland as asylum seekers or refugees, were grooming, and raping and otherwise sexually abusing, girls under 15 years of age in Oulu, Finland. One victim ended up committing suicide. The Oulu Police Department warned young girls and parents, while emphasizing that "not all people with foreign backgrounds are dishonest or criminals".
Events from the year 2020 in Finland
Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.
Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.
BlackCat, also known as ALPHV and Noberus, is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.