Monday 1/24/22

Police asked Vastaamo to hide data theft from customers a month ago

The company only informed its clients last Wednesday, after the criminals made the case public and began to disclose their personal information.

The crisis line set by the company only answers queries in Finnish, despite providing service in English and charging a premium fee for it, a reader says.

Cyber security hacker crime by Darwin Laganzon

The Finnish police asked the psychotherapy center Vastaamo not to inform its customers about the hacking of its client files and the theft of sensitive data on the mental health of thousands of people.

According to the newspaper Ilta Sanomat, this was told by the chairman of the board of Vastaamo, Tuomas Kahri:

"The police asked us to restrict information on everything that happened for investigative reasons and also issued a disclosure ban," Kahri told the Finnish news agency STT by SMS.

The company only informed its clients that their data had been stolen last Wednesday, after the criminals made the case public and began to disclose their personal information.

The extortionists have stolen their clients' files dating back to November 2018.

"Protect the investigation"

The Finnish National Bureau of Investigation (KRP) held a press conference on Sunday to report on the case. According to Commissioner Marko Leponen, Vastaamo denounced the theft of data and the extortion on 29 September, almost a month ago.

Commissioner Leponen justified the request to the company not to report the scandal due to the need to protect the preliminary investigation and limit the damage.

Since Wednesday 21 October, Finland has been shaken by the extortion of a group of hackers against the private psychotherapy centre Vastaamo, which also provides services to customers paid by the Finnish Social Security (Kela).

Extortionists are demanding 450,000 euros (in bitcoins) in exchange for not publishing mental health data of thousands of people. The hackers have been publishing the data of 100 people every day in the encrypted web Tor. They claim they will not stop until they get the payment.

Sensitive personal data of hundreds of people people - such as names, identification numbers, phone numbers, emails and residence addresses, together with the content of the therapy sessions - have been released online.

Support, but not in English

The blackmailers have been also contacting individual patients and offering them the possibility of deleting their own data by paying about 540 euros in bitcoins.

The police advised them not to pay any ransom, but to file a complaint. Several thousand complaints have been registered so far. 

The company said in a statement on Sunday that it is now focused on collaborating with public authorities and supporting all its customers.

A reader contacted to say that "the crisis line Vastaamo has set up does not answer queries in English. Unfortunately, this was only discovered after being on hold for 1.5 hours."

"Not offering English customer service is perhaps surprising as they offer services in English and are happy to charge a premium (fee) for this,"  this reader complains.

Prime Minister Sanna Marin described the attack as "shocking" and wrote on Twitter that authorities are looking for ways to help the victims.