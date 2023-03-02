According to the KRP’s preliminary investigation protocol, practically all the means needed for protection had previously been insufficient or completely absent.

Psychotherapy Center The trial regarding the information security liability related to data breaches of the counter started on Thursday in the Helsinki district court. The prosecutors demanded Vastaamo’s former CEO To Ville Tapio imprisonment for a data protection offence.

The criminal suspicion concerns the processing of personal data and data security in connection with the fact that Vastaamo was able to leak the sensitive information of tens of thousands of customers to outsiders.

According to the prosecutors, Tapio failed to notify the data protection commissioner’s office of the previous data breach and did not sufficiently ensure that data security was in order. According to the prosecutors, he acted either intentionally or grossly negligently.

Tapio denies the charge of data protection crime.

TO THE ANSWER had been the target of several data breaches and security breaches over the years. According to the prosecutors, Ville Tapio would have known about them but failed to act adequately.

Patient data should be in a database that is closed from external connections. However, the communication port of the reception desk had been open to the internet between November 26, 2017 and March 13, 2019.

In the preliminary investigation material of the Central Criminal Police, which became public on Thursday, it is stated that, in relation to the sensitive nature of the managed data, the information security of the Response Center did not seem to have been at the required level.

“Practically, all the means needed for protection (such as a firewall, VPN, passwords, database encryption, pseudonymization, data security testing as well as logging and documentation) have been inadequate or completely missing”, is described in the summary of the preliminary investigation protocol.

KRP states in the preliminary investigation that, for example, the Counter had used weak passwords. The patient database user ID password was only seven characters long and did not contain capital letters or special characters. The same username and password for the patient database had been in use since 2012.

The username and password had also been shared unprotected. At least at some point, the password had also been used in the alarm system and as a code word in the security office.

In interrogations the police asked an employee of the IT department if information security was thought about at the Reception Desk from the perspective of prevention.

“It was quite reactive. It would have been possible to prevent it with virus protection, for example, but it was not there.”

Police: “Did you bring these concerns to the management’s attention?”

“Ville Tapio has always been informed of these problems. For example, VPN thing, Wifi network passwords, antivirus thing. Security printing for MFPs was not implemented because it costs money. Some things have been put on hold because they have paid, or he hasn’t responded,” the employee replied.

According to the preliminary investigation, for example, Tapio would not have allowed the requested information security software to be installed, even though two IT employees justified the purchase by saying that someone had already gotten through the protection that was in use at the time.

Already On March 15, 2019, a data breach and extortion occurred, for which the authorities were not properly notified. According to the information security company’s investigation conducted in October 2020, an outside party had logged into the patient database without permission, destroyed it and left a blackmail message in place of the database.

On March 15, 2019, it was discovered that the patient information system could not be contacted. At first it was considered a normal outage, until it became clear that data had been lost. The data was restored from backups, but some only later.

According to the preliminary investigation, only on April 12, 2019 was Valvira notified of an outage in the patient information system caused by maintenance. However, the announcement did not mention anything about the possible risk of patient data being compromised.

According to the investigation by the security company, there was no clear evidence that the database had been stolen in this connection, but the possibility of this had existed.

However, the leakage of customer data was already ruled out in the preliminary risk report, even though at the time of the report there was no information about where the patient data had been lost and what caused the data loss, the preliminary investigation states.

Tapio denied in the preliminary investigation that he knew about the March 2019 data breach and blackmail. According to him, he had been given a picture of what happened, that the server had crashed due to a technical database error. According to the prosecutors, he would have already become aware of information security problems then.

The compromising of patient data only became known to the authorities on September 28, 2020, after the extortion against Vastaamo. In autumn 2020, the data breach also became public.

According to the prosecutors, however, the blackmailer is suspected of having obtained the patient data in a previous data breach, which was carried out in November 2018. Vastaamo itself did not notice the data breach at that time.

Tapio said in the police interrogation that he heard about the database leak for the first time only on September 28, 2020. At that time, he had received a message in his e-mail with a small sample from the database. The IT employee confirmed that it was the Vastaamo database.

According to Tapio, information security was taken care of at Vastamo with the help of, among other things, a self-monitoring plan, the data protection committee and external experts.

“Technically, the data security was fine,” Tapio said in an interview in February 2021.

In the courtroom on Thursday, Tapio’s defense shifted the responsibility for information security problems to Vastaamo’s two IT employees.

“The system would have been safe if used correctly”, Tapio’s lawyer Lina Kokko said.

According to Tapio’s defense, it would have been the fault of the employees that the communication port was open to the internet between 2017 and 2019.

In the preliminary investigation, in addition to Ville Tapio, two employees of Vastaamo’s IT department were also suspected. However, the prosecutors decided to bring charges only against Tapio. The overworked IT department had notified the management about information security gaps and various procurement needs, but nothing had happened.

Police states in the preliminary investigation that information security was somewhat improved in the company over the years, but despite this, a technical report made in October 2020 found several deficiencies in the information security of the Counter.

The preliminary investigation into the data breach and extortion of customers against the counter is still in progress at the KRP. The district court of Länsi Uusimaa imprisoned earlier on Tuesday Julius as Kivimäki known Alexander As a suspect in the Kivimäki data breach case. He has denied that he committed the crime.