Helsinki Education Division Hit by Massive Data Breach in Spring 2024
In spring 2024, the City of Helsinki’s Education Division (KASKO) suffered a severe data breach, exposing sensitive information belonging to hundreds of thousands of individuals. The attack, which began in mid-April, saw threat actors infiltrate the division’s network via an improperly maintained VPN remote access server. Over the course of several weeks, the attackers mapped the intranet, expanded their access, and exfiltrated approximately two terabytes of data in four separate batches—an estimated 750,000 documents, many containing personal and sensitive data.
The breach went undetected for an extended period due to gaps in network monitoring and delayed responses to security alerts. Once identified, the city acted swiftly to contain the attack and implement remediation measures. Investigators determined that the incident was enabled by two key vulnerabilities: the unpatched VPN server and the accumulation of excessive, unmanaged data on a network drive over several years. Organizational changes, unclear responsibilities, and lax enforcement of data storage policies further exacerbated the risks.
The compromised data included records of learners, city personnel, and third-party partners, raising concerns about potential misuse for identity theft or fraud—though no such activity was detected during the investigation. Identifying all affected individuals proved difficult, particularly for former employees and past learners, and no comprehensive effort was made to notify them.
As a result of the investigation, four recommendations were issued, primarily directed at Finland’s Ministry of Finance. These measures aim to address systemic issues in information security governance, including fragmented legislation, unclear compliance obligations, and the need for stronger oversight in the local government sector. The breach underscores the risks of inadequate cybersecurity practices in public institutions handling large-scale sensitive data.
Source: https://databreaches.net/2025/06/17/investigation-of-2024-helsinki-data-breach-report/
Helsingin kaupunki – Helsingfors stad – City of Helsinki cybersecurity rating report: https://www.rankiteo.com/company/city-of-helsinki
"id": "CIT1767600354",
"linkid": "city-of-helsinki",
"type": "Breach",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Hundreds of thousands '
'(learners, personnel, previous '
'employees, partners)',
'industry': 'Education, Public Sector',
'location': 'Helsinki, Finland',
'name': 'City of Helsinki’s Education Division (KASKO)',
'size': 'Large (hundreds of thousands of affected '
'individuals)',
'type': 'Government/Education'}],
'attack_vector': 'VPN remote access server exploitation',
'customer_advisories': 'Challenges in contacting all victims (previous '
'employees, learners, partners)',
'data_breach': {'data_exfiltration': 'Yes (approx. 2 terabytes copied in four '
'instalments)',
'number_of_records_exposed': 'Approx. 750,000 documents',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (includes sensitive personal '
'data)',
'type_of_data_compromised': ['Personal data',
'Sensitive personal data']},
'date_detected': '2024-04-30',
'description': 'The City of Helsinki’s Education Division (KASKO) was '
'targeted by a serious data breach in spring 2024, resulting '
'in the exposure of a large amount of data concerning '
'learners, personnel, and other entities with direct or '
'indirect dealings with the City. The attacker gained access '
'to approximately 750,000 documents, some containing sensitive '
'personal data.',
'impact': {'brand_reputation_impact': 'Likely significant due to exposure of '
'sensitive personal data',
'data_compromised': 'Approx. 2 terabytes (750,000 documents)',
'identity_theft_risk': 'High (data can be used for identity theft '
'and fraud)',
'operational_impact': 'Immediate management measures and repairs '
'were launched to stop the attack',
'systems_affected': 'City of Helsinki’s intranet, network drives, '
'servers'},
'initial_access_broker': {'entry_point': 'VPN remote access server',
'reconnaissance_period': 'Mid-April 2024 (mapping '
'targets on intranet)'},
'investigation_status': 'Completed',
'lessons_learned': 'Shortcomings in network monitoring, ambiguous division of '
'responsibilities, accumulation of unmanaged data, and low '
'awareness of information management regulations '
'contributed to the breach. The attack persisted due to '
'delayed response to alerts.',
'post_incident_analysis': {'corrective_actions': ['Improved network '
'monitoring',
'Clarification of '
'responsibilities',
'Data management reforms',
'Enhanced maintenance of '
'critical systems'],
'root_causes': ['Unmaintained VPN remote access '
'server',
'Inadequate network monitoring and '
'delayed response to alerts',
'Ambiguous division of '
'responsibilities due to personnel '
'turnover',
'Accumulation of unmanaged data on '
'network drives',
'Low awareness of information '
'management regulations']},
'recommendations': ['Improve maintenance of critical systems (e.g., VPN '
'servers)',
'Clarify division of responsibilities within '
'organizations',
'Enforce data management policies and supervision',
'Enhance awareness of information management regulations',
'Streamline fragmented legislation and guidelines for '
'local governments'],
'references': [{'source': 'City of Helsinki Investigation Report'}],
'regulatory_compliance': {'regulations_violated': ['Local government '
'information management '
'acts',
'National data protection '
'guidelines']},
'response': {'containment_measures': 'Immediate management measures and '
'repairs to stop the attack',
'enhanced_monitoring': 'Yes (post-incident)',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Network monitoring improvements, '
'clarification of responsibilities, data '
'management reforms'},
'title': 'Helsinki Education Division (KASKO) Data Breach 2024',
'type': 'Data Breach',
'vulnerability_exploited': 'Unmaintained VPN remote access server, inadequate '
'network monitoring, ambiguous division of '
'responsibilities, accumulation of unmanaged data '
'on network drives'}