Something unexpected happened in Finland in October 2020. A Psychotherapy Centre called Vastaamo and its clients became victims of a major data breach in which sensitive patient information was stolen and later disseminated online. The actual hacking of the database had happened much earlier in 2018-2019 but became public in October 2020.
A blackmailer announced having patient records of some 40 000 patients of the centre and started sending blackmail letters to hundreds of these patients asking for money in order not to publish their sensitive patient information. The patient database was later made public in the anonymous Tor Browser and afterwards also in the open internet. So far, some 23 000 victims have reported the crime to the police.
The news was a big shock to thousands and thousands of these victims. And it was not only about ones extremely personal patient records. It was also about identity theft, since these victims’ social security numbers had been disposed for criminals making it easy to commit different kinds of frauds.
In Finland, it is rather easy to make online purchases or take so called quick loans with the social security number. You can also change a person’s post address rather easily with such information and cause different kinds of harm. After the Vastaamo case, using the mere social security number for such purposes has been made more difficult but still strong online identification is not always required.
The risk of being a target of fraud meant that the victims needed to quickly make different kinds of bans such as credit and registration bans. Such information and concrete advice for the victims did not exist anywhere. Victim Support Finland (RIKU) was the first agency in Finland to publish this information on its webpage and to give personal advice to these victims. Soon also the authorities started collecting and publishing information for the victims.
On the same day that the information of the data breach was announced and the first victims started to contact RIKU, information was launched on RIKU’s webpage in a “question and answer” format. This information was important also for the supporters – both staff and volunteers – who gave individual support to the victims – mainly in the 116 006 helpline and RIKU’s online chat – in a situation that we had never experienced before.
RIKU supported personally some 1500 victims in less than a weeks’ time in the end of October and beginning of November 2020. The number of visitors in RIKU’s webpage was tens of thousands in just a few days. Today, the number of assisted victims of the Vastaamo case is over 3000.
After this event, an official webpage for victims of data breaches has been created. In this page victims can find information of different bans and instructions on how to take them into use.
A big lesson to be learned is that we need preparedness planning also for such large-scale cybercrimes, where huge numbers of people are victimized at the same time.
In RIKU, we have now created a preparedness plan which means that we can start our support services on a short notice also when our services are not normally open, like during the weekends. This includes an alarming system, which rapidly reaches out to both staff and volunteers to sign in if help is needed quickly.
The police investigation succeeded in November 2022 to find a suspect, but the suspect has gone hiding. If there will be a trial in the case, this will mean that thousands of victims have the possibility to present their demands in a court hearing. This will be a big challenge to the prosecutors and the court system. Something we also need to be more prepared for in the future.
Legally the case has proven to be very complicated from the victims’ perspective and it remains unclear whether victims will have a possibility for compensation. Thus, there is also a need to look at the compensation schemes in these kinds of crimes.
Victim Support Finland