City of Helsinki Education Division breach
An attacker exploited an unpatched vulnerability in a remote access server to breach the City of Helsinki's Education Division, exposing personal data of tens of thousands of students, guardians, and staff, plus sensitive welfare records.
- Victim
- City of Helsinki (Education Division)
- records
- 120.0K
- users
- 120.0K
On 2 May 2024, the City of Helsinki disclosed that its Education Division had suffered a major data breach. The intrusion, traced to an unpatched remote access server, ranks among the largest breaches of personal data ever to hit a Finnish municipality, ultimately touching students, guardians, and the city's entire workforce.
What happened
The attacker gained entry by exploiting a known vulnerability in a remote access (VPN) server operated by the Education Division. A vendor hotfix patch was already available to close the flaw, but it had not been installed on the affected server — a lapse strikingly similar to other landmark breaches caused by unpatched internet-facing infrastructure.
Once inside the Education Division network, the intruder reached network drives containing a broad range of files. The City of Helsinki emphasised that the attacker did not obtain passwords or the contents of email accounts, but did access a large volume of identifying and sensitive personal data.
Impact
- The breach potentially affected over 80,000 students and their guardians, as well as all City of Helsinki personnel — by some counts well over 120,000 individuals in total.
- Exposed data included usernames and email addresses of all city staff, plus personal identity codes and addresses of students, guardians, and Education Division employees.
- Most seriously, the attacker reached network drives holding sensitive welfare records — including information about early-childhood-education fees, the status of children, student-welfare requests, and records concerning children's need for special support.
- The city reported no confirmed misuse of the stolen data at the time, but warned affected individuals to remain vigilant.
Response
The City of Helsinki notified the Finnish Data Protection Ombudsman, the police, and the National Cyber Security Centre, and launched a public-notice campaign to reach affected groups. Finland's Safety Investigation Authority conducted an independent investigation, publishing findings on the failures that allowed the breach.
Why it matters
The Helsinki Education Division breach is a cautionary tale about patch management in the public sector. A single unpatched VPN server exposed the most sensitive records a municipality holds — data about vulnerable children and their families. It reinforced, at the local-government level, the same lesson that Equifax taught at corporate scale: that known, fixable vulnerabilities on internet-facing systems are the most common and most preventable path to catastrophic compromise.
Timeline
An attacker exploits a vulnerability in a remote access server to enter the Education Division network.
The City of Helsinki publicly announces that its Education Division was the target of a data breach.
The city reveals the breach is far larger than first thought, potentially affecting all city personnel and over 80,000 students and guardians.
Investigation confirms the attacker accessed network drives containing sensitive student welfare and special-support records.
Finland's Safety Investigation Authority finalises its report on the breach.
Sources
- hel.fihttps://www.hel.fi/en/news/city-of-helsinkis-education-division-target-of-data-breach
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/helsinki-suffers-data-breach-after-hackers-exploit-unpatched-flaw/
- hel.fihttps://www.hel.fi/en/news/investigation-into-helsinki-education-division-data-breach-proceeds
- securityaffairs.comhttps://securityaffairs.com/163088/data-breach/city-of-helsinki-data-breach.html