Since the launch of the criminal investigation into the Vastaamo hacking incident, the police have conducted active monitoring to see whether the victims' personal data have been used for criminal purposes, such as fraud. Unfortunately, we have discovered that such associated crime has started to emerge. This phenomemon is particularly repulsive as the victims are already beaten.
We have discovered thus far that the hacked data of around a hundred individuals have been fraudulently used for various registrations. We are extremely worried that these registrations are used, for example, to commit different types of fraud. Frauds may cause victims to incur expenses, and the overall consequences may only manifest themselves long after the actual commission of the crime. This may trouble and concern the victims for a long time in an already stressing situation where sensitive information has leaked to the public.
We are only able to monitor and combat crime associated with the Vastaamo hacking incident for those victims who have reported the offence to the police. The Supreme Court has ruled that the names in the compromised patient databases are considered to be medical data that may not be used by the police in the criminal investigation concerned. Therefore, the police do not have information about all hacking victims but only about those who have reported the offence.
With this in mind, the police would like to further encourage all victims of the Vastaamo hacking incident to report the offence. This is important in view of the victims' claims but also in view of monitoring and combating associated crime. Instructions on how to report a crime can be found on the website of the Finnish Police.
We have taken every associated crime against Vastaamo customers seriously. The crimes that have been discovered are investigated regionally, and the National Bureau of Investigation is responsible for monitoring. Unfortunately, we still believe that the fraudulent use of personal data that have been leaked will continue. There are no means to stop it completely, but victims can reduce the risk of their personal data being used by criminals. The instructions given by the authorities at the start of the criminal investigation still apply and are available on the website providing information for victims of data leaks. The victims should note, however, that some of the actions they may have taken at the time are only valid for a limited period, and they should check their situation concerning the validity of actions taken.
It appears from the monitoring conducted by the police that the compromised personal data have mostly been used in services for which multi-factor authentication has not yet been introduced but a personal identity code, for example, is used for identification. The fight against this crime could be enhanced through a wider introduction of multi-factor authentication and the elimination of the use of a personal identity code alone for identification.
Furthermore, I would like to remind the victims that they should fill in the statement form which is available at police e-services to those who have reported the offence. It must be filled in to be a party to the criminal procedure and claim damages in the matter. The reason why the police have not contacted the victims in person is that we want to ensure that the victims are not exposed to new crimes because of our actions; if we released information that we would contact all victims, there would be a great risk of someone making use of the situation and impersonating a police officer contacting a victim. We consider such phishing attempts very likely because the victims' data have been widely available on the internet.
For further information, go to the website of the Finnish Police. You can also seek support and assistance from Victim Support Finland.