The Finnish psychotherapy center Vastaamo has been a victim of a ransomware attack which is described by experts and authorities as the worst in the country’s history.
On October 21, breaking news was published announcing that the Finnish privately owned psychotherapy center Vastaamo has been the target of an extensive ransomware attack. Attackers have managed to gain access to thousands of patient records and demanded the healthcare company for bitcoins equivalent to approximately 450 000 euros for not publishing the information on darknet. When Vastaamo did not agree to pay the ransom, the attackers instead turned directly to the patients and extorted them for money to not leak their personal records.
Nicolas Gabriel-Robez works as an information security consultant and is heading Sentor’s Finnish office. Like many others in the cyber security industry, he has delved into the event, which he believes engages the entire country:
– Here in Finland, this has been major news since the incident became public. The entire cyber security industry, together with high-ranking politicians, has commented on the attack, and there is more or less consensus that it is unprecedented in Finnish history.
The nature of the leaked information makes the incident sensitive in several ways, says Nicolas. In addition to several children being found among the victims, many of the patients come from small communities in Finland where everyone knows everyone. Several of those affected have reported the incident to the police and are now demanding that the people behind the attack must be brought to justice.
Unclear circumstances of what has happened
Vastaamo has determined that their databases have been hacked since November 2018. A Finnish cyber security company that was hired to investigate the intrusion, later discovered that the organization was subjected to another targeted attack in March 2019. However, there seems to be some uncertainties about the circumstances
Vastaamo’s former CEO, Ville Tapio, was fired when the news of the intrusion was discovered. The company’s board claims that Tapio knew that Vastaamo was subjected to an attack 18 months before it became public, but has chosen to keep the information secret. Tapio, in turn, says he knew nothing about events before the investigation.
Vastaamo has said that although the exact course of events is still partly unclear, it is clear that adequate security measures were lacking, which made it possible for attackers to infiltrate databases.
– So far, we can only speculate about how the attack was carried out. We also know nothing definitively about the attacker at the moment, other than that he calls himself ”ransom_man” and runs a website on Tor where he has already published content from 300 patients’ journals. However, he seems to come from Finland or gets help from someone in Finland, since messages are written in perfect Finnish, says Nicolas.
After Vastaamo chose not to pay the requested ransom, the attacker turned directly to the patients concerned, who were offered the opportunity to pay 200 euros in bitcoins within 24 hours in order not to have their records published. If they did not pay within the set time, they got another 24 hours, but then at a price of bitcoins worth 500 euros.
Finnish authorities are acting
Last Wednesday, ministers met in the Government of Finland to discuss cyber security and measures to prevent this from happening again. They also promise crisis support to the thousands of people affected by the intrusion.
– An effective law would, in my opinion, be a requirement for an independent third party to annually review the security of entities processing high amounts of sensitive personal data. This would add an additional layer of security on top of internal audits, if such are even carried out, Nicolas says.
He also points out that the incident is a clear case of violation of the GDPR, which probability will lead to DPA fining Vastaamo.
Increased awareness among the Finnish citizens
Finnish residents who have been interviewed in connection with the attack believe that they will be more restrictive with what data they are willing to share in the future. Nicolas believes that the incident, in addition to the legal aspects, can have long-lasting consequences and lead to an increased awareness of the risks of digitalisation.
– We have taken a lot for granted when it comes to what data we share when we, for example, shop online or use digital services. Of course, an event like this makes us begin to question the security of the systems we use, especially among the actors who handle our most sensitive information.
How to avoid ransomware-attacks
Ransomware attacks are difficult to manage and protect against. In many cases, the attackers have had access to the systems for a long time before making themselves known, and have then had time to put themselves in a superior position against their victims. However, there are measures that reduce the risk of being affected, says Nicolas:
– The first step towards protecting your digital assets, but which many people miss, is to take an inventory of the organization’s information systems, processes and the people who maintain them. Such a list is better known as an asset register, and it is the asset register that constitutes your attack surface. Without an asset register that is updated regularly, you lack information about your attack surface, and consequently can not assess and manage the threats that affect your business-critical information systems.