A hacker gained access to customers' personal information via an employee's email. The customer interviewed by HS is shocked that something like this can happen in a big bank.

The cooperative bank an external party could get hold of the bank's customers' first and last names and personal identification numbers.

OP informed about the data breach targeting the bank's employee for the first time on December 5. Since then, the investigation has revealed that more information has been leaked than thought.

“We have wanted to send a message to customers as soon as we know who is affected. However, the investigation has taken its time. Now the overall picture has become more detailed and we have identified new persons whose information has been compromised”, says OP's information security director Teemu Ylhäisi.

Ylhäisi regrets that not all the victims of the data leak were identified immediately.

The OP does not comment in more detail on how large a group of customers' information has possibly been leaked. However, according to the most seniors, it is a small, limited group in relation to the total number of customers.

OP has been in direct contact with persons whose information may have been compromised. However, according to the top, it is possible that not all customers have necessarily read the online message or received the letter in the mail.

Part didn't get in touch until Monday.

HS interviewed one of them. He does not appear in the story under his own name due to his data security.

According to the interviewee, it is very special that by breaking into the e-mail of an individual OP employee, it was possible to get hold of OP's customer information. In his opinion, data protection should be better.

“I sent the OP a message asking if the data was really taken behind the Microsoft 365 password, because I couldn't believe my ears,” he says.

The interviewee points out that, in his opinion, those working with customer data should be well aware of information security issues.

“On top of that, I've tried to be extremely careful in matters of information security myself, and now a big bank works like this. I don't understand how this can happen.”

Data breach was carried out according to the OP using a very advanced and hard-to-detect attack technique that allows bypassing two-step authentication.

According to Ylhäis, OP's employees primarily use the customer information system to process customer information, but there are also cases where in-house protected e-mail is used to transfer customer information.

A hacker has been able to view the e-mails of an individual employee and may have obtained customer information, as one employee had not deleted the information he processed from his e-mail in accordance with the OP's instructions.

According to the top, OP takes information security very seriously. Due to the incident, OP will repeat the information security instructions. In addition, additional restrictions have been placed on using e-mail.

The data breach did not endanger the funds of the bank's customers. The bank warns that there may be attempts to use leaked personal data, for example, to target new phishing messages or to commit fraud.

The OP is not aware that the information has been misused.