A young Finnish man was arrested in absentia due to a data breach at Vastaamo
DISTRICT COURT Helsinki police arrested a 25-year-old man in absentia on Friday on suspicion of breaking into the patient register of the Psychotherapy Center Vastaamo.
The Finnish man is suspected of aggravated computer hacking, attempted aggravated extortion and aggravated dissemination of information that violates privacy. Investigators from the Central Criminal Police (KRP) are also investigating his possible connections to extorting and distributing information about hacking victims.
The man is believed to live abroad, and according to him, an international arrest warrant has been issued press release KRP published on Friday.
“We understand that he was living abroad when the extortion happened. But where he was when the data breach itself took place at the turn of 2018 and 2019, we don’t have a clear understanding of that,” Marko LeponenThe officer in charge of the KRP preliminary investigation, told YLE on Friday.
Although the man was identified as a possible suspect relatively early in the large-scale investigation, investigators had to rule out several other names that came up during the investigation.
“The probable cause of his arrest in absentia was only very recently confirmed,” Leponen revealed.
Investigators have not yet determined how much the suspect benefited from the crime, as almost all victims have not reported the crime to the police. According to Leponen, the number of reported crimes in the case is currently around 10,000, which is small compared to the personal and patient data of the 33,000 customers whose personal and patient data has been obtained.
“We don’t have a clear understanding of the victims who paid the ransom to the perpetrator,” he added. “However, we are talking about fairly marginal amounts. Our results suggest that around 20-30 people paid the ransom.
He declined to comment on whether the investigation has uncovered other possible crimes, citing ongoing investigations by foreign authorities.
Psychotherapy center Vastaamo was declared bankrupt at the beginning of 2021, a couple of months after the first reports of a large-scale data breach had appeared. The service provider has announced that its patient database was infiltrated first in November 2018 and then in March 2019.
Ville TapioThe former CEO of Vastaamo, has been accused of a data protection offence vulnerabilities that led to the leak and publication of sensitive information about thousands of patients. Prosecutors have described the state of the company’s data security as “chaotic”.
Helsingin Sanomat on Friday wrote that the man suspected of hacking the patient database has an “exceptional” criminal record with crimes dating back to his teenage years.
In 2015, the district court of Espoo found the man guilty of 50,700 counts of aggravated computer hacking, aggravated communication interference, aggravated fraud, aggravated wiretapping and computer hacking and sentenced him to a two-year suspended prison sentence.
In 2020, he was convicted of sending false police reports to private residences of law enforcement officials in the United States and making a baseless bomb threat to American Airlines. The man has appealed the decision.
Aleksi Teivainen – HT