Few days ago the private psychotherapy centre Vastaamo announced a huge data breach in their databases. In this post I will collect useful information in English for victims until there will be a better official data source. This post will be updated with any new information I come across. I invite you to:

• come back and check what’s new
• flag me if you have any information or news that should be included (comment below or send me a message).

An overview

The events

According to recent news, the Vastaamo data breach first happened in November 2018. A second breach took place in March 2019. It is unknown if the same hackers’ group was responsible for both events. The crime affected thousands (possibly tens of thousands, as the centre had stored information of over 40 000 customers). Stolen data includes personal information (full names, addresses, and, most importantly, social security numbers) as well as sensitive information (the content of the psychotherapy sessions).

In October 2020, hackers demanded a ransom of about half a million euros in bitcoins from Vastaamo. Few days after this piece of news went public, individual victims started receiving threats via email: email messages show their social security number in clear and they are asked for a ransom of few hundreds euros.

What information have been stolen?

According the Vastaamo’s comments, hackers have stolen personal information like full names, addresses, phone numbers, email addresses, as well as social security numbers of patients. In addition, they have stolen therapists’ and doctors’ notes, meaning a summary of the content of the therapy sessions. Hackers have not stolen: credit card numbers, video recordings of virtual sessions.

If you are a victim of the Vastaamo data breach, you have a right to know what information were compromised. You can fill this form and send it to Vastaamo (tuki@vastaamo.fi).

The risks

It is hard to calculate all ramifications of the Vastaamo data breach. Social security numbers are an especially sensitive information in Finland, especially if associated to other personal data like an address. They are also permanent information associated to an individuals, which means victims will need to “watch their back” potentially all their lives. Authorities have explained that a social security number can be changed only if someone is a victim of continuous harassment or in serious danger (NEW: the government is discussing an exception for the victims of the hack). People can misuse a social security number to ask for credit, loans, stipulate contracts, open businesses, try to access to the victim’s assets, intercept mail, and so on. It really sucks.

Content of sessions can be used to harass, even target victims. Sex predators or pedophiles could acquire these information to target vulnerable people on purpose.

What can you do if you are a victim

First and foremost: do not pay any ransom. At the moment no one knows where the information have circulated (after all, they’ve been in wrong hands for over a year!) and you wouldn’t have any guarantee: let’s not forget these criminals have published sensitive data of minors, so not exactly thieves with a honour code (if there’s such a thing).

• Do not pay a ransom.
• Do not click on any link contained in the message.
• Do not reply to the message or try to communicate with the blackmailer.
• Do not delete the message. Take a screenshot and store it safely as evidence.

The following actions are recommendations of RIKU, a big organisation offering support to victims of crimes and their relatives. The list of action points has been published also by Yle News. I have examined these steps and many of the services listed lack forms, information, and pages in English. I’ll do my best to walk you through and bridge the missing information and resources, complementing with my “hands-on” perspective as an international resident in Finland – this is often missing from official sources.

1. Report the crime to the police

The first step for you is to report the crime to the police. Do not call 112: you need to report the crime online. All forms will be in English, so no need for me there. If you cannot report the crime online, call the police customer service. Attach screenshots of any criminal or suspicious activity. Similarly, if you find out your data is published somewhere, take screenshots and report to the police. The investigation may take years, so have low expectations for resolution. However, it is important to start an official record of what is happening to you as soon as possible.

2. Alert your bank

Contact your bank and alert them your data was stolen. Ask them if they have noticed any suspicious activity and ask them to be on the lookout. Usually banks require strong online authentication, so I think risks are low there. At the same time, their phone customer service asks for personal details to verify identity, so there’s space for human errors. This is why it’s important that your file is clearly marked as at risk of identity theft.
Keep an eye on your transaction activities and if you spot anything suspicious, contact your bank immediately. Review your electronic payments (e-laskut) and consider setting them to a lower threshold or manual approval (and delete the inactive ones).

3. Buy a credit ban

Criminals can try and ask for loans or credit cards in your name. Asking for a credit ban (luottokielto) does not prevent you from requesting credit cards or credit: it simply alerts loan providers to carry out stricter identity verification. A credit ban is valid for 2 years and costs about 15-20 euros. There are only two companies providing this service in Finland: Asiakastieto and Bisnode. You have to request a credit ban from both, because they serve different businesses. Their forms are currently only in Finnish, but Google Translate does the job. I recommend you download Google Chrome and use the plug-in of Google Translate for easy translation. Vastaamo has announced they will reimburse victims who request a credit ban from Asiakastieto (contact Asiakastieto customer service fill this form).

4. Protect your mail

Someone might try to intercept your mail or change your physical address information without you knowing. You can prevent that by doing the following. These instructions work both in the OmaPosti app as well as on the browser portal of Posti:

5. Notify the Patent and Registration Office

One of the risks of identity theft is that someone might try to point you as responsible person for a business, an association, or a foundation. This can create issues with your credit as well as your criminal record. To prevent that, you can request a registration ban (rekisteröintikielto) from the corresponding authority PRH. Instructions can be found here, only in Finnish. Don’t worry, these are the steps. Fill this form, print it, sign it, and send it through secure mail to PRH. You can find an unofficial translation of the form here for your understanding.

The ban will not affect your previous roles. For example, if you do have a business, it will not be affected. The ban is valid only for the future and you can revoke it whenever you want.

6. Protect your information in the Population Information System

The Finnish Population Information System is a digital national register that contains basic information about residents of Finland. To prevent unwanted data manipulation, you can set up a series of bans:

• Non-disclosure for customer register update (asiakasrekisterin päivityskielto): your data won’t be disclosed to companies that update their registers (e.g. newspaper publishers). If you move to a different address, you’ll need to update the companies yourself (or lift the ban).
• Non-disclosure for public registers (henkilömatrikkelikielto): your data won’t be disclosed for compilation of public registers (e.g. education institutes).
• Non-disclosure for genealogical research (sukututkimuskielto) (e.g. family searches, academic research on genealogy or genetics).
• Non-disclosure for direct marketing purposes (suoramarkkinointi): your data won’t be disclosed for marketing, market surveys or polls.
• Non-disclosure of contact details (yhteystietojen luovutuskielto): your contact details will never be shared (except for credit repayment and to some authorities like the police).

The system is unfortunately only in Finnish and Swedish, but I’ll walk you through:

• Access the register here;
• click on “Käynnistä tarkastus” (=start the inspection) and safely login with your bank credentials or mobile verification;
• click on “Näytä” (=show) to see your personal data;
• on the top menu, click “Ilmoita itse” (=report yourself);
• on the left menu, click on “Tietojenluovutukiellot” (=information disclosure bans).
• select the bans you want to confirm by ticking the box under the column “lisää kielto” (=add ban);
• send the change (button läheta) and you will be notified via email when the update is complete.

7. Disable Klarna and similar credit services

Klarna requests minimal information to give credit. If such information are in the wrong hands, you cannot use these low threshold credit services safely anymore. Request a deletion of your Klarna account through this form or their customer service.

8. Contact your mobile and phone operators

This piece of instructions was not 100% clear to me. Apparently phone operators like Telia, DNA, or Elisa can disclose your information in some cases (?!). You can contact your phone/mobile operators and ask that:

• your address information is never disclosed;
• any change to your contract(s) has to be done by you in person at one of their contact points;
• they do not disclose any of your personal or contract information.

Similarly (and this comes unofficially from me) I recommend you alert other service providers of this liability, for example your electric energy supplier.

9. Set up Google alerts

So far hackers have published information on the dark web only (and I have no idea how to monitor that, but I know there are companies offering that service). It’s good practice to also monitor the “normal web” and Google can do it for you. Set up some Google alerts to check if your data is published somewhere. Do not write your full social security number in an alert, though! Some suggestions:

• name + surname (e.g. John + Smith)
• name + surname + start of soc. sec. number (e.g. John + Smith + “010180-“)
• name + surname + address street (e.g. John + Smith + Asematie)

You will get an email if any of these information are published and you can be at ease on this one. You can also decide to remove your personal information from Google searches or Bing searches altogether.

10. Power up your personal cybersecurity

It’s the time for you to review and power up your own cybersecurity. Now that your personal information are in wrong hands, it would be tenfold worse if your phone, email address, or bank credentials would be hacked, as they now are the safest way for you to confirm your own identity. Enable a 2-step verification in all relevant services. I also recommend using a password manager like LastPass. Make sure to have different and strong password for all your accounts. Do not share your passwords with anyone, not even your partner (and if you do, change passwords if the relationship ends). Better safe than sorry.

Support

Mental health

There is no doubt the Vastaamo data breach has been one of the most violating experiences. Victims have lost control not only on their personal data, but also on the most intimate details of their life, as hackers and Vastaamo have violated the confidentiality of their therapy sessions. It is upmost important that you honestly check with yourself for any support you might need, at any time during the process. If you find it hard to complete the recommended action points, ask for help.

Mieli has a crisis hotline that operates in several languages. In addition, they are organising support groups for victims of the Vastaamo data breach. Groups meet on virtual platforms and you can participate anonymously. At the moment groups operate in Finnish, but if there is enough request I am confident they will organise some in other languages. For more information contact ryhmatoiminnat@mieli.fi.

Legal advice and general information

RIKU provides support and assistance for victims of crimes and their relatives. While their hotline does not operate in English, you can place a request to be called back by a volunteer that speaks English.

There is now a web portal that aims to collect useful information and news for victims and the general public: Tietovuotoapu.fi. It is currently available only in Finnish (if you need it in English send them feedback to help prioritise translations!). Now available in English!

If you want legal advice or you want to know more about your rights as a consumer, the Consumers’ Union has a hotline dedicated to the Vastaamo data breach (tel. 09 – 454 22150, Mon–Fri h 9–12 and h 13–16).

Compensation

Check with your insurance provider if it covers identity theft. If not, consider buying an insurance: most providers are willing to offer you one if your information haven’t been shared yet (even if they have been stolen, so there’s a time window to act!). Check out MySafety, as well as insurance providers like Pohjola. Insurances can cover legal expenses or damage in case something happens.

After the criminal investigation will have completed its course (months, possibly years), there might be a customer class action and you might be entitled to compensation from Vastaamo. Keep an eye on the Finnish Competition and Consumer Activity for that (check the Finnish version as it’s richer in information). They even have a newsletter you can subscribe to.

As mentioned above, Vastaamo has promised to reimburse credit bans. It’s a good idea to keep an eye on their news section to see if they will take further steps to compensate customers.

More information & news

Find here additional sources of information on the Vastaamo data breach:

• National Cyber Security Centre. For example: Q&A on the Vastaamo data breach;
• RIKU, Crime Victim Support. See their recommendations here;
• Office of the Data Protection Obudsman. See their recommendations;
• Digital and Population Data Services Agency. See their Q&A section;
• (NEW) Vastaamo’s summary in English;
• Yle News. Quickly listing the articles so far: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11;
• Foreigner.fi. Listing the articles: 1, 2, 3, 4, 5;
• (NEW) Finland Today. Listing the articles: 1;
• (NEW) This citizens’ initiative demands stronger identity verification protocols.
• (NEW) If you have paid a ransom, please get in touch with Mikko Hyppönen at the cybersecurity company F-secure. The transaction data can be used in the investigation.

I hope this is useful. I have tried to collect and translate as many information as I could from all sources I could find. Please help me reach more expats in Finland by sharing this post on social media. This was an heinous act, targeting vulnerable people, and I condemn it. If you have been affected, I am sorry. Take care of yourself and take all precautions to minimise your risks.

Update 29.10.2020 18:39. New articles added. Victims’ website now available in English. Citizen’s initiative on identity verification added.
Update 5.11.2020 20:06. Added instructions to contact F-secure for victims who paid the ransom. Added form to get a refund from the Asiakastieto credit ban.
Update 9.11.2020 19:11. Added one article to the news article list.

Feature photo by Joan Gamell on Unsplash.