Advice for the victims of the data leak
The National Bureau of Investigation is investigating the data system break-in at the psychotherapy centre Vastaamo. Extortion messages have also been sent to private individuals who have become victims of the data leak. Below, we have gathered advice for the victims of the data breach.
1. File a report of an offence with the police, if you notice that the leaked information has been disseminated or if you have received an extortion message related to the Vastaamo data system break-in.
Do not respond to the extortion message or pay the extortionist. Enter all information about the sender and the time when the message was received accurately into the report of the offence. Save and store the e-mail messages, other messages and other possible evidence you have received.
Downloading, opening or otherwise processing the leaked information is not recommended without sufficient technical and legal expertise.
You can also file a report of the offence at the local police department.
2. Monitor your bank transactions.
If you notice transactions in your bank account that you have not made yourself, file a complaint with your bank. The customer service of your bank will give you more instructions. You should also file a report of an offence concerning the transactions with the police.
3. Consider getting an ‘Oma luottokielto’ personal credit ban. The credit ban reduces the risk of identity theft as well as credit card purchases and payday loan withdrawals by a third party.
You can get an ‘Oma luottokielto’ personal credit ban via the websites of Suomen Asiakastieto Oy (in Finnish) and Bisnode Finland Oy (in Finnish). Both companies maintain their own credit information register. It is possible that the credit provider only checks the information from one of the credit information registers.
The credit ban is subject to a charge. Vastaamo has stated that it will reimburse the purchase of security services by victims of the data breach. You can find more information and instructions in Vastaamo’s bulletin (in Finnish).
The ‘Oma luottokielto’ personal credit ban is saved in the credit information register maintained by Asiakastieto or Bisnode. In case of applying for credit or drawing up an agreement, some of the parties granting credit will receive information about the credit ban you have set up yourself. In that case, a bank or an online shop can verify the identity of the credit applicant more carefully than usual.
4. Notify the Finnish Patent and Registration Office that you cannot be entered in the Trade Register as a responsible person of a company or corporation without your explicit consent.
You can also check your roles in the Trade Register via the Suomi.fi service.
5. Request address change protection from Posti and consider prohibiting the disclosure of your information.
The restriction can prevent changes of address done using your personal data.
In addition to Posti, a block on a notification of move must be made separately with the Digital and Population Data Services Agency. The possibility to block a notification of move is intended for those whose information has been used for a false notification of move, or who fear that their personal information could be used for making a false notification of move to the Digital and Population Data Services Agency.
You can also consider prohibiting the disclosure of information to the Population Information System on the website of the Digital and Population Data Services Agency (in Finnish).
6. Ask for support and advice, if necessary.
You can get help from the following parties:
- Victim Support Finland (RIKU)
- Helpline of the Finnish Red Cross (in Finnish)
- National crisis helpline of MIELI Mental Health Finland
- Discussion help from the Evangelical Lutheran Church of Finland (in Finnish and Swedish)
- Vastaamo’s crisis helpline
Tietovuotoapu.fi (in Finnish) houses all the information relevant to helping the victims of the data breach. The site is constantly updated and will be available also in Swedish and English.
You can also find advice for the victims of identity theft or a data breach on the website of the National Cyber Security Centre.
A customer who has become the victim of a personal data breach can also ask for advice from the Office of the Data Protection Ombudsman. The office can be contacted via the classified e-mail service of the Ministry of Justice. Using the classified e-mail service is recommended especially when the message includes sensitive information. We will process the messages as soon as possible.
7. Prepare for the possibility that the leaked information may come up again later.
Think about how you will react or respond in such a situation already in advance. If you know where your information has been published or otherwise processed, you can ask the controller of the data file in question to erase the information about you.
The instructions above will be updated as needed as the investigation progresses.
The Deputy Data Protection Ombudsman has ordered Vastaamo to notify the victims about the personal data breach personally. Together with the police, the Office of the Data Protection Ombudsman will consider whether the use of the Data Protection Ombudsman’s other powers is necessary in addition to the pre-trial investigation.
Further information for the media:
Deputy Data Protection Ombudsman Jari Råman, jari.raman(at)om.fi, tel. +358 (0)29 566 6757