The City of Helsinki is investigating a data breach in its education division, which it discovered in late April 2024, impacting tens of thousands of students, guardians, and personnel.
Though information about the attack was circulated on May 2, 2024, the city's authorities shared more details in a press conference earlier today.
According to the details disclosed today, an unauthorized actor gained access to a network drive after exploiting a vulnerability in a remote access server.
While the officials did not state what remote access product was targeted, they shared that a security patch for the vulnerability was available at the time of the attack but had not been installed.
The accessed drive contained tens of millions of files, most devoid of personally identifiable information (PII). Still, some included usernames, email addresses, personal IDs, and physical addresses.
Additionally, the exposed drive contained information about fees, childhood education and care, children's status, welfare requests, medical certificates, and other highly sensitive information.
"This is a very serious data breach, with possible, unfortunate consequences for our customers and personnel. We regret this situation deeply,"
commented city manager Jukka-Pekka Ujula.
