Imagine that you’d spoken in what you thought was total confidence to a psychotherapist, but the contents of your sessions had been saved for posterity, along with precise personal identification details such as your unique national ID number, and perhaps including additional information such as notes about your relationship with your family…
…and then, as if that were not bad enough, imagine that the words you’d never expected to be typed in and saved at all, let alone indefinitely, had been made accessible over the internet, allegedly “protected” by little more than a default password giving anyone access to everything.
Now imagine, some time later (according to some reports, the company that ran the clinic suffered data breaches in 2018 and 2019, but the overt criminality surrounding the stolen data didn’t start until 2020), that your deepest secrets, and those of tens of thousands of other trusting patients, were used in a blackmail attempt against the company.
And then, given that the company itself didn’t pay up (and what good would that have done anyway, given that the data was already out there “in the wild”?), imagine that you received a blackmail demand yourself, putting the squeeze on you to pay EUR200 to “suppress” the publication of those not-so-private-after-all talks where you had unburdened yourself to a therapist whom you reasonably assumed would keep your secrets secret.
Remember that the stolen data included things you’d said about your family and others close to you…
…and then imagine, as Wired magazine wrote in 2021 in the case of a youngster who had become an adult in the interim, if the extortionist had also contacted other people whose personal information appeared in your note, and menaced them for money, too.
That’s how the data breach saga apparently unfolded at an infamous Finnish heathcare provider, now bankrupt, called Psychotherapy Centre Vastaamo.
Thousands of complaints filed
Fortunately, if that is the right word, thousands of victims filed complaints with the police, giving Finnish authorities a clear and vital mandate to go after not only the criminals involved in the extortion, but also the senior executives at the company that allowed such an egregious data breach to happen in the first place.
Early in October 2022, the Helsinki Times reported that the former CEO of Psychotherapy Centre Vastaamo, Ville Tapio, will himself face charges over what it described as a “data protection offence [relating to] information security vulnerabilities that resulted in a leak of sensitive information on thousands of patients”.
In an interesting parallel with the recent US criminal case against Joe Sullivan, formerly CSO at Uber, Ville Tapio looks to be in trouble not only for leaving the door open in the first place, but also for not reporting the breach until long afterwards, when it could be covered up no more.
Sullivan was recently convicted in a US Federal court of what is still known in American jurisprudence by the Anglo-Norman word misprision, or covering up a crime.
According to the court, Sullivan paid off the perpetrators of a breach that involved more than 50,000,000 customer and driver records by writing up the blackmail demand from the criminals as if it were an official bug bounty report, and making the payoff look like an unexceptionable “responsible disclosure” payment instead:
Ville Tapio, like Sullivan, seems to have decided that he could get away with hiding the breach from the authorities until it couldn’t be denied any more because the extortion demands gave it away.
According to the Helisinki Times, Tapio faces up to a year in prison if convicted.
Suspected extortionist listed for arrest
But there’s more, with the alleged extortionist himself now in the spotlight of European law enforcement following an arrest warrant issued in Finland.
The Finnish National Bureau of Invesigation announced last Friday that:
[We] remanded one person in absentia on probable cause of aggravated computer break-in, attempted aggravated extortion, and aggravated dissemination of information violating personal privacy [in connection with the Psychotherapy Centre Vastaamo incident].
The police have established that the suspect currently resides abroad. For this reason, he was remanded in absentia. A European arrest warrant has been issued against the suspect. He can be arrested abroad under this warrant. After that the police will request his surrender to Finland. An Interpol notice will also be issued against the suspect, who is a Finnish citizen and about 25 years of age.
We’ve not been told his name, or where he is currently thought to be hiding out, but we’ll keep our eyes on this case, as well as the case of the CEO who is alleged not to have done enough to stop the breach in the first place, and to have effectively swept it under the carpet until it came out anyway when tens of thousands of victims were blackmailed as a result.
What to do?
- Rehearse what you will do if you suffer a breach yourself. You are not preparing to fail if you do so, but you are failing to prepare if you don’t. Learn what your reporting obligations are, and practise what you would say to those affected by the breach. As this case suggests, prompt disclosure would at least have prevented tens of thousands of vulnerable people finding out about the breach from extortion demands made directly to them and their families.
- Consider filing a personal report if you are caught up in a breach. This helps regulators and law enforcement collect evidence; helps to determine an appropriate level of response (if no one says anything, then it’s hard to convince a court that real harm was done); and helps the authorities demand higher cybersecurity standards in future.
By the way, the Finnish authorities are still hoping to persuade about 10,000 affected people who haven’t yet filed a report in the Vastaamo case to do so…