Date |
|
---|---|
Location | Finland |
Type | cyberattack, data breach, ransomware |
Target | Vastaamo |
Suspects | Aleksanteri Julius Kivimäki |
Vastaamo was a Finnish private psychotherapy service provider founded in 2008.[1] On 21 October 2020, Vastaamo announced that its patient database had been hacked. Private information obtained by the perpetrators was used in an attempt to extort Vastaamo and, later, its clients.[2] The extorters demanded 40 bitcoins, roughly worth 450,000 euros at the time, and threatened to publish the records if the ransom was not paid. To add pressure to their demands, the extorters published hundreds of patient records a day on a Tor message board.
After extortion of the company failed, the extorters sent emails to the clients whose data they had obtained, demanding that they pay ransoms in order to avoid publication of their sensitive personal data.[3][4][5][6] These ransom demands were sent to roughly 30,000 victims.[6] The company's security practices were found to be inadequate: the sensitive data was not encrypted and anonymized[7][6] and the system root did not have a defined password.[8][9][10] The patient records were first accessed by intruders in November 2018, while the security flaws continued to exist until March 2019.[5]
In December 2021, the Finnish Data Protection Authority (DPA) fined Vastaamo 608,000 euros for violating the provisions of the General Data Protection Regulation (GDPR).[9][10] This cyber-attack became the biggest criminal case in Finland history. It also turned into an international scandal and a cyber-attack unprecedented in its scope due to the tactic called double extortion applied by the cyber criminals.[11]
On October 28, 2022, the National Bureau of Investigation named the suspect behind the breach as 25-year-old Aleksanteri Julius Kivimäki.[12][13] Kivimäki was charged in absentia at Helsinki District Court for aggravated data breach, aggravated attempted extortion, aggravated distribution of information infringing private life, blackmail, breach of confidentiality and falsification of evidence.[12][14] An arrest warrant was filed with Europol and Interpol against Kivimäki stating that he was in Dubai.[14][13] In 2015, Kivimäki, then a member of Lizard Squad, was found guilty on over 50,000 counts of computer crime.[13][15]
Kivimäki was arrested in France on 3 February 2023.[16] He was extradited to Finland on 24 February.[17]
:5
was invoked but never defined (see the help page).:9
was invoked but never defined (see the help page).