Data breach in the Education Division
Estimated reading time 1 minute
The City of Helsinki suffered a major data breach at the end of April 2024. The Audit Committee decided to include the City’s data protection in its assessment plan and investigate the reasons behind the data breach. At its meetings, the Audit Committee heard the City's management and experts about the data breach.
Conclusions
The hacker managed to steal a massive amount of data from an online drive of the Education Division by exploiting a vulnerability in the City's remote access server and using user accounts and passwords obtained by criminal means. Immediately after the breach was detected, the City initiated measures to protect the network and prevent further damage. The data breach revealed weaknesses in the City’s data security controls, data security maintenance responsibilities and data retention practices. In addition, the City has accumulated a digital development debt over the years. These shortcomings contributed to the occurrence of a data breach of exceptional magnitude, and, therefore, the technical and administrative capacity of the City’s data security needs to be improved. The City is a large organisation in which tasks and responsibilities related to data protection, data security and data management are shared between several different operators. The data breach highlighted the need to clarify the City’s data security management.
the City Board must
- ensure that the City’s data protection measures are at an appropriate level.
- ensure that the governance of data security and data management is clearly defined.
- ensure that the responsibilities of the City’s operators regarding data security and data management are clearly defined.
- ensure that the shortcomings resulting from the digital debt are remedied.
Add new comment