Office of the Data Protection Ombudsman investigating personal data breach in Valio's network
In December 2024, Valio announced that a personal data breach had been detected in its information network, jeopardising the personal data of a large number of company personnel. On 27 January, Valio issued a release stating that the personal data breach affected a much larger number of people than originally estimated. The Office of the Data Protection Ombudsman is investigating the personal data breach to determine whether all companies targeted by the breach have complied with their obligations under data protection legislation, among other things.
The attacker obtained data concerning the personnel of Valio and its Finnish subsidiaries and milk procurement cooperatives. The breach also involved the data of Valio’s former employees and included data from the databases of Valio’s mutual insurance company and pension fund.
According to Valio, the investigation conducted in cooperation with the authorities has revealed that the data breach involves a significantly larger amount of personal data than previously thought. As far as Valio is aware, a large number of people were affected by the data breach.
Data Protection Ombudsman considering measures pending further information
The Office of the Data Protection Ombudsman is investigating the personal data breach from the perspective of compliance with data protection legislation. The criminal investigation of the data breach is being conducted by the police.
The Office of the Data Protection Ombudsman will soon send requests for information to the organisations involved to obtain the additional information required for its own investigation.
”We will next consider potential follow-up measures based on the supplementary information provided by Valio. In general, it is crucial to effectively investigate the reasons for a personal data breach so that it will not happen again. According to Valio, it has sent everyone affected by the personal data breach a letter stating which personal data have been compromised”, says Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa.
Advice for those affected by the personal data breach
People affected by the personal data breach can contact Valio directly for further information. Valio has opened an email hotline and website providing further information and advice about protecting your data.
Instructions and advice for people affected by the personal data breach are available through the following channels:
- Valio's email hotline: privacy(at)vekvkv.fi
- Valio website: What to do if you have been the target of a data breach
- Instructions on the Data Protection Ombudsman's website: Have you been affected by a personal data breach?
- Guide on the Suomi.fi website: My personal data has been stolen or leaked
Support and counselling is available from Victim Support Finland and the Mieli Crisis Helpline.
An individual is entitled to compensation if an organisation has violated the General Data Protection Regulation in a manner that has caused damage to the individual. Claims for compensation related to a data breach or other offences can be resolved in connection with the criminal trial. The claim for compensation can also be sent directly to the organisation in question.
Additional information:
Valio's release, 27 January 2025: Data breach involves more people insured by Valio’s pension fund than previously estimated (on the valio.fi website, in Finnish)
Valio's release, 20 December 2024: Data of Valio and milk procurement cooperative personnel targeted in a personal data breach (on the valio.fi website, in Finnish)