Helsinki Education System Breached via Unpatched Vulnerability

The cybersecurity threat environment has never been hotter or the stakes higher, and the cybersecurity community forecasts more of the same.  But, while there are more vulnerabilities for attackers to exploit, analysts also report that perpetrators are exploiting vulnerabilities faster, weaponizing new security advisories in a matter of days, maybe even hours after their publication.  This means that organizations have more risk and need to increase both their visibility and remediation efficiency.

In this article we will review a recent cybersecurity breach of the Helsinki Education System via an unpatched vulnerability that led to the theft of tens of millions of files representing the sensitive personal information of roughly 80,000 individuals. Forensic analysis of the attack indicates Russian threat actors may be responsible.

Overview of the Helsinki education system data breach

On 02. May 2024, the City of Helsinki’s Education Division was breached via an unpatched vulnerability in a remote access server. According to City Manager Jukka-Pekka Ujula: “A hotfix patch has been available to eliminate this vulnerability, but it is not currently known why this hotfix was not installed on the server.”

Specific technical details about the breach have not yet been disclosed, however, we do know that attackers were able to gain access to network drives containing tens of millions of files and steal them. Jukka-Pekka Ujula further commented: “Our security update and device maintenance controls and procedures have been insufficient”, referring to the lack of vulnerability management activities to ensure that known vulnerabilities are mitigated.

The stolen data includes the Personally Identifiable Information (PII) of roughly 80,000 students, guardians, and personnel including usernames and email addresses, personal IDs, physical addresses of students, as well as other sensitive private information including fees (and their justifications) for customers of early childhood education and care, sensitive information concerning the status of children such as requests for student welfare services or the need for special support, medical certificates regarding the suspension of studies for upper secondary students and sick leave records.

Finland’s national response to the breach

The City of Helsinki’s Chief Digital Officer, Hannu Heikkinen told reporters that early forensic analysis of the breach identified evidence that the attack may have originated from Russia. The attack comes within months of escalating border tensions between Russia and Finland. Although Russian nation-state threat actors and associated groups are known for cyber-military campaigns against their adversaries, none have assumed attribution. In Germany, the Federal Office for Information Security (BSI), has taken the position that Germany needs to realign itself strategically in response to increased cyber attacks from Russian-based threat actors and invest more in cyber security.

The National Cyber Security Centre Finland (NCSC-FI) has published updates and guidance on how to manage such incidents and improve cybersecurity measures across public and private sectors. The Finnish Government has also highlighted the need for systematic development and enhanced cooperation among authorities to improve the country’s cybersecurity resilience​​.

Trafcom, the Finish Transport and Communications Agency provides advice for those whose personal information has been stolen, or anyone who receives suspicious communication related to this breach incident. Anyone affected is asked to report any suspicious communications to kaskotietoturvatilanne@hel.fi or call +358 9 310 27139.

Greenbone supports cybersecurity best practices

The takeaway from this incident and others like this, is that proactive cybersecurity best practices such as vulnerability management reduce the chances of a data breach as associated costs. To defend themselves, organizations need to take a proactive approach by implementing policies, processes, and technologies such as the Greenbone Enterprise Vulnerability Management platform that support cybersecurity best practices. Failure to do so leaves the door open to attackers and comes with risks; both financial, reputational and to privacy.

Greenbone provides high visibility of the systems and software functioning within the organization’s IT infrastructure and ingests cyber-threat intelligence allowing IT security teams to conduct risk driven remediation. As a vulnerability scanning and management platform, Greenbone’s role is to help organizations detect known vulnerabilities in their IT environments and attest compliance with standards such as the BSI minimum standards and CIS security controls.