Counter | The ex-CEO of Vastaamo was sentenced to a suspended prison sentence for a data protection crime

Helsinki On Tuesday, the district court gave its decision in the criminal case regarding the data security liability related to Vastaamo’s data breaches.

The former CEO of Vastaamo Ville Tapio was sentenced to a three-month suspended prison sentence for a data protection crime.

The matter concerns the processing of customers’ personal data and data security in connection with the fact that the sensitive data of tens of thousands of Vastaamo’s customers was leaked into outside hands.

Tapio’s indictment concerned data protection events between March 2019 and October 2020.

The judgment is not binding.

To the counter were targeted by two data breaches, in 2018 and 2019. It is known that in the breach in 2018, customers’ patient information was taken, which was later used to blackmail customers. Vastaamo itself did not notice the 2018 data breach at all.

According to the prosecutor, in March 2019, an outside party broke into Vastaamo’s patient database, messed up the database and left a blackmail message. Tapio’s indictment is related to the March 2019 data breach and the period after that until fall 2020.

According to the prosecutors, due to Tapio’s actions and negligence, Vastaamo had insufficient information security for a long time, both at the level of its organization and practical protections.

The compromising of patient data only came to the attention of the authorities in September 2020, after the extortion against Vastaamo. In the same autumn, the data breach also became public.

Tapio denied the charge. According to his defense, two IT employees at the time were responsible for Vastaamo’s information security, not Tapio himself.

In the preliminary investigation, in addition to Tapio, two employees of Vastaamo’s IT department were also suspected. However, the prosecutors brought charges only against Tapio and cleared the employees of any criminal charges.

According to his story, the overworked IT department had notified the management about information security gaps and various procurement needs, but nothing had happened.

The Central Criminal Police stated in the preliminary investigation material of the case that, in relation to the sensitivity of the managed data, the information security of the Response Center was not at the required level.

“Practically, all the means needed for protection (such as a firewall, VPN, passwords, database encryption, pseudonymization, data security testing, and logging and documentation) have been inadequate or completely missing,” the police preliminary investigation protocol listed.

To the counter The preliminary investigation into the data breach and extortion of customers is currently in progress by the police. The district court of Länsi-Uusimaa imprisoned the person known as Julius Kivimäki Aleksanteri Kivimäki in late February as a suspect in the case. He has denied that he committed the crime.

Kivimäki was imprisoned for the most probable reasons, on suspicion of, among other things, aggravated data breach and aggravated dissemination of information that violates private life.

If Kivimäki’s criminal suspicions lead to charges, they will be dealt with in a separate trial in due course.

The story is completed.