Finnish Security and Intelligence Service leaks its payroll data to gmail account

The Finnish Security and Intelligence Service (Supo) experienced a significant data breach when confidential information pertaining to nearly all of its employees was inadvertently sent to an external email address.

This incident, reported by the Finnish news agency STT, occurred last summer and involved the accidental dissemination of sensitive data of almost 600 Supo staff members. The data breach occurred as an employee of Supo, who was on leave, requested their pay slips from the organization's personnel administration. In response, Supo submitted a service request to the Finnish Government Shared Services Centre for Finance and HR.

Unfortunately, during the process of forwarding the requested information to the employee's personal Gmail account through a secure mail service, Supo only verified one of the attachments sent by the HR service centre. This oversight led to the inclusion of an additional file that contained comprehensive payroll information, including home addresses, salary details, and recruitment information of up to 586 employees.

The breach was brought to Supo's attention on the same day by the employee who received the email, prompting an internal review. Supo acknowledged the incident as a result of negligence on the part of both the HR service centre and its own procedures. However, the national security agency deemed the breach to be of minor significance, deciding there was no necessity to notify the affected employees about the incident. Supo assessed that the risk of misuse or further distribution of the leaked data was "extremely small."

The Finnish Data Protection Ombudsman, upon reviewing the case, concurred with Supo's assessment and determined that no additional actions were required in response to the breach. This decision, along with the incident details, has stirred discussions on data protection and security protocols within national security agencies.

For further details, the original notification from Supo or additional commentary from the Data Protection Ombudsman's office might provide more insights into the incident and the decisions made in its aftermath.