Helsinki Data Breach Shines Light on Cybersecurity Risks
In a significant data breach incident that occurred in late April 2024, Helsinki, Finland’s capital and largest employer, exposed sensitive personal information belonging to over 300,000 individuals. This incident has provoked a thorough investigation and reflection on cybersecurity protocols, offering lessons that resonate across various sectors.
The breach initially came to light when a report was filed to Finland’s National Cyber Security Centre (NCSC-FI) late on April 30. As media attention escalated the following day, the City of Helsinki publicly acknowledged the breach on May 2, confirming that the Education Division, known as KASKO, was primarily affected. Within days, investigators, including teams from the City, NCSC-FI, and private digital forensics experts, pinpointed the source of the compromise: a Cisco ASA 5515 firewall, a device that had not been updated since 2016 and was originally installed in 2014.
The attacker’s approach involved several advanced techniques, notably beginning with brute force attempts to compromise credentials. After breaching the router using a remote connection through Cisco AnyConnect software, the adversary exploited this access to navigate laterally within the internal systems, ultimately gaining privileged access to vital databases, including Microsoft Active Directory and backup servers. Asset reports estimated that around 10 million documents, totaling about 2TB of sensitive data, were stolen, initially thought to impact 120,000 individuals before the figure escalated to over 300,000. The affected range includes city employees, students, and their families.
Despite the scale of the breach, NCSC-FI quickly determined that no passwords had been compromised, and no ransom demands were made, factors that have facilitated ongoing law enforcement investigations into the incident. Matias Mesia, a senior specialist at NCSC-FI, detailed these findings during a presentation at FIRSTCON in Copenhagen, emphasizing the need for robust incident response strategies.
For the incident response process, NCSC-FI classified this breach among their ‘special cases,’ mobilizing a dedicated task force consisting of 10-20 agency members from May 9 until June. Their efforts included advising the City on investigation protocols and assisting in public communication strategies. Notably, the agency compiled ‘lessons learned’ reports, focusing on organization, case coordination, technical responses, legal aspects, and communication efficacy.
Mesia highlighted critical takeaways to mitigate future cybersecurity threats, stressing the importance of addressing vulnerabilities in edge devices, especially those that are outdated or unpatched, recognizing such incidents as severe risks. Additionally, organizations must ensure they have prepared logistical frameworks for incident response and business continuity, including predetermined communications structures. Inclusivity in response teams is essential, bringing together individuals with both experience and fresh perspectives.
Furthermore, throughout his presentation, Mesia provided several essential best practices for incident responders, emphasizing the need for clarity in communication, timely updates to leadership, and an ongoing assessment of network security. He also announced forthcoming developments from the NCSC-FI aimed at categorizing cyber incidents based on their severity to optimize agency resources for future responses.
The incident in Helsinki illustrates a multi-faceted threat landscape, likely leveraging tactics such as Initial Access, Privilege Escalation, and Lateral Movement as described in the MITRE ATT&CK framework. With ongoing advancements in strategic cybersecurity measures, understanding these dynamics will be crucial for professionals navigating increasingly complex cyber threats.
