The Finns were stunned this Friday at the outcome of a scandal caused by the extortion of a group of hackers to a private company that provides services as a psychotherapy center for the public health system.
In a country that claims to be at the forefront of digitization and data security, the criminals managed to access the database of thousands of customers of the company Vastaamo after detecting vulnerabilities in their system.
According to its website, Vastaamo offers psychological and psychiatric treatment to patients who suffer from disorders such as depression and anxiety. Many of the clients come from public services paid by the Finnish Social Security (Kela).
Extortionists demanded around 450,000 euros (in bitcoins) in exchange for not publishing the clinical and mental health data of thousands of people.
The criminals started to publish the data of 100 people every day in the encrypted web Tor two days ago. They claimed they would not stop until they received the money. As the company was resisting to attend the demands of the hackers, personal data of over 200 people - including minors - have been released online.
The information published could not be more sensitive: it included the patient's name, personal identification number, telephone number, email address and residence address, together with the content of the therapy sessions.
"An unknown hostile party has been in contact with Vastaamo and claims to have obtained confidential information from the company's customers. The Central Criminal Police launched a criminal investigation into the matter. Immediate notifications were also made to the Finnish Cyber Security Center, Valvira and the Data Protection Commissioner. In addition, Vastamo took immediate steps to clarify the matter in cooperation with external and independent security experts," the company said in a press release.
Rumours of ransom payment
The data of another 100 people were published on Thursday night. But on Friday morning the page where the data was being released had been deleted, which triggered rumors about a possible payment to the extortionists.
At the time of writing this article, the company had neither confirmed nor denied the payment. Tuomas Kahri, Chairman of the Board of Vastaamo, told to the newspaper Ilta Sanomat that he would not comment on the ransom payment allegations.
The identity or nationality of the extortionists is unknown, and they appeared to not be worried about their possible arrest by the authorities.
Ilta Sanomat exchanged several messages with them on Thursday, and according to the tabloid the criminals said they did not know that there was data of minors among the published information. However, they ensured that this would not stop their actions.
According to the same newspaper, the blackmailer had also offered individual patients the possibility of deleting their own data by paying about 540 euros in bitcoins.
The National Bureau of Investigation (KRP) is investigating the attack as a case of gross breach and dissemination of private information. Police are asking people who have noticed their private information being disseminated to file an electronic crime report.
The company has been criticized for failing to notify customers earlier that their data was exposed in this extortion case. Some have complained they were contacted only after the case became known to the general public.