Helsinki is grappling with a significant data breach affecting its education division, discovered in late April 2024, impacting tens of thousands of students, guardians, and personnel. Though details about the breach circulated on May 2, 2024, city authorities recently disclosed more information, revealing that an unauthorized actor gained access to a network drive by exploiting a vulnerability in a remote access server. This breach is deemed “very serious” by city manager Jukka-Pekka Ujula, potentially affecting over 80,000 individuals, prompting immediate actions to notify relevant authorities and advise affected parties on precautionary measures.
The breach exposed a large volume of sensitive data, including personally identifiable information (PII) such as usernames, email addresses, personal IDs, and physical addresses. Additionally, the compromised data contained information on fees, childhood education and care, welfare requests, medical certificates, and other highly sensitive details. Helsinki authorities expressed deep regret over the situation and emphasized the severity of the breach, acknowledging the potential unfortunate consequences for impacted individuals and personnel.
City officials indicated that while the security patch for the vulnerability was available at the time of the attack, it had not been installed, underscoring the importance of timely software updates and cybersecurity best practices. With the investigation ongoing, Helsinki has notified relevant authorities, including the Data Protection Ombudsman, the Police, and Traficom’s National Cyber Security Centre. Affected individuals are advised to report any suspicious communications and follow guidance provided by Traficom to mitigate risks associated with the breach.
