City of Helsinki reports data breach of its educational and training departments

The City of Helsinki is reporting a data breach affecting its educational and training departments. The attack was executed from outside Finland, targeting tens of millions of documents. Although many of these documents did not contain personal data, the breach still led to the exposure of highly sensitive information.

The breach was made possible by an unpatched security vulnerability in a remote access server, which had a patch available but not installed at the time of the incident. The City has shut down the network after detecting the breach, notified the Data Protection Ombudsman, Helsinki Police, and Traficom's National Cyber Security Centre.

The breach compromised the data of over 80,000 pupils and their guardians and approximately 38,000 city employees: Exposed data includes:

• For Pupils and Guardians:
  • Personal IDs
  • Address details
  • Early childhood education fees and payment information
  • Special support requirements
  • Medical reports related to middle school pupils' suspensions
• For City Employees:
  • Usernames
  • Email addresses
  • Sick leave details

Update - as of 21st of May, the data breach is reported to impact over 150,000 learners and their guardians, as well as the 38,000 city personnel. The breach in Helsinki may have compromised information on all persons of compulsory school age in the city. This data, which was stored on a city network drive, includes

• personal IDs,
• addresses,
• native languages,
• nationalities,
• religious communities of children born between 2005 and 2018,
• as well as their guardians.