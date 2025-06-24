A 2024 data breach affecting Helsinki, Finland’s capital and largest employer, which exposed sensitive personal data of over 300,000 people, offers valuable lessons for cybersecurity professionals. The incident was the subject of a year-long investigation by the Safety Investigation Authority of Finland (SIAF/OTKES), which published its technical report on June 17, 2025. Matias Mesia, a senior specialist at Finland’s National Cyber Security Centre (NCSC-FI), led the agency’s task force that helped Helsinki recover from the breach. During FIRSTCON in Copenhagen on June 23, he shared insights into the incident and the strategies employed to contain and mitigate the breach, providing practical guidance for others facing similar cybersecurity challenges.

Matias Mesia (second from the left) during his talk at FIRSTCON, in Copenhagen. Credit: Infosecurity Magazine

Insights on Helsinki’s 2024 Data Breach With around 40,000 employees and a budget of €4-5m ($4.6-5.8m), Helsinki is not only the capital and biggest city of Finland, attracting 12% of the country’s population (686,595 residents in March 2025), but it is also the country’s largest employer. At 11.30 pm on April 30, someone from the City of Helsinki filed a report to NCSC-NI about a potential data breach. Following early media reports the next day, Helsinki issued a public disclosure on May 2, stating that the breach affected the Education Division of the organization, known as KASKO. Within days of an investigation from the City of Helsinki, NCSC-FI, and a private digital forensics and incident response (DFIR) partner, the infected device was identified. It was a Cisco ASA 5515 firewall appliance used by KASKO as a receiving router for VPN connections. The piece of hardware was installed in 2014 and was last updated in 2016. In 2017, the people responsible for the device left the organization.

Source: NCSC-FI and TRAFICOM, via FIRST

The attacker’s modus operandi was also identified early on in the investigation. It began with brute force attacks, followed by a vulnerability exploit via a remote connection between a user’s computer and the router, utilizing Cisco AnyConnect software. The device crashed, allowing the attacker, who was logged in with credentials found on the dark web, to move laterally within the internal systems and gain privileged access to Microsoft Active Directory, a virtualization server and a backup server, thereby stealing data. While Helsinki quickly realized that the amount of data was considerable (approximately 10 million documents, or 2TB of data had been stolen), it initially believed that 120,000 people could be affected, before reevaluating the number to 15,000 and then to over 300,000 people. The victims included a wide range of people, such as city employees, childcare benefit applicants, private schools staff members, students in integration training and students born between 2055 and 2018 and their relatives.

Source: NCSC-FI and TRAFICOM, via FIRST