Checklist for victims of a data breach
We have collected a comprehensive list of notes especially for victims of the Vastaamo data breach. If you have been a client of Vastaamo before the year 2019, your confidential information might have been stolen. The list has been updated on 08.11.2020.
Based on current knowledge, Vastaamo’s client registry was breached in November 2018 and there has been a second smaller breach in 2019 before March 2019. According to Vastaamo, there is no indication that the whole database has been leaked in 2019 incident, but it is possible that information regarding some individuals has been copied.
You can follow Vastaamo’s official updates at their website.
The stolen data contains the following:
- First name and surname
- Address (Street address, postal code, city, country)
- Finnish National Identification Number (“Henkilötunnus”)
- Phone number
- Email address
- Written appointment notes, I.e. patient reports
All of the above are classified as personal information. It is possible that your information has not been stolen or that only portions of it have leaked.
If you suspect you have been a victim of the breach or you have received a personal ransom request, please follow these steps:
Take care of yourself
- Don’t panic. It’s possible that only some of your data has been leaked.
- See below under Where to get help under crisis? for a list of organizations you can talk with about your issues.
- You are not alone in this unfortunate situation. Don’t be afraid to ask for help from those near and dear to you. There are also support groups on the internet, for example on Facebook (in Finnish).
Keep a diary of your actions
- Write down your actions: What you do, when and to whom. For example: Filed a criminal complaint with the police on 24th of October 2020 at 10:05, requested prohibition of credit from Asiakastieto 24th of October at 5pm.
- You can also write down how much time every action took from you.
- This information can play a pivotal role in police investigations or when claiming for damages.
- Keeping a diary helps you to keep track of what you have done. One’s personal memory tends to work poorly under crisis and it is easy to forget things. After a few months, it’s hard to recall in what order you took actions without notes.
- If you have received a ransom blackmail, take a screenshot of it and store it on your computer for investigation. Store the original message as well.
- Screenshots are important evidence for the authorities. The screenshot should include the sender address.
- How to take screenshots in Windows 10: Instructions from Microsoft
- How to take screenshots in Apple macOS: Instructions from Apple
- You can also save the e-mail as a PDF file.
- Make sure that the screenshots and PDFs include timestamps, like when the e-mail arrived.
- You can also take a photo of your computer’s screen. Make sure that the text is readable from the photo. If it helps you can take multiple pictures to cover the whole screen in enough detail.
- Keep receipts from all incurred expenses. For example, services related to credit prohibitions, phone calls to credit agency, bank etc.
Do not pay the ransom or communicate with the blackmailer
- The extortion message(s) will contain your name and identification number. Similar messages have been sent to thousands of other people as well.
- Paying the ransom funds organized crime and the criminals may extort you again or alternatively, publish your information despite payment. Do not communicate with the criminal. The information may have been leaked to other parties already.
File a criminal complaint with the police for data leak and/or extortion
- You can report an offence online on the website of the Finnish Police. The service is available every day from 6:00 to 22:45. If you are unable to file a report immediately, please try again later. The police website has been under heavier load than usual and it’s not necessary to file a report immediately. The investigation will still continue even if all the individuals involved are not able to file a report at once.
- Reporting an offence online requires identifying yourself with online banking codes, a chip enabled official ID card, or mobile verification. The report form guides you in filling in the needed information. The Vastaamo databreach goes under the category “Other offences” and the location is “Internet”.
- If you have received a ransom note, include a screenshot of it as an attachment.
- If you’re unable to report an offence online, please visit your nearest police station.
- The police have instructed to not call the Emergency Response Centers.
- If you file a criminal complaint, you must mention the following:
- Word “Vastaamo”
- Who was the recipient of the ransom note
- Where information has been distributed, if you know
- Possible ransom request, account number, bitcoin address and whether you have paid the ransom.
- The police wants to stress that you should not pay the ransom because it will not guarantee that your information is safe nor prevent misuse of the information.
Report the incident to National Cyber Security Centre
- You can file a report with the form provided by Finnish Cyber Security Centre
- Based on the notifications, the NCSC-FI investigates security violations and threats to information security on network services, communications services and added value services, collects information on these incidents, and helps organisations with instructions and sometimes with technical assistance. In addition to general cybersecurity information, they can also offer more technical help.
Request personal prohibition of automated credit
- This ensures that nobody can take a loan in your name. Finland has two companies maintaining credit registries: Asiakastieto and Bisnode Finland (in Finnish). We recommend you request for a credit ban from both. Note that the credit ban lasts for two years at a time and you will have to renew it if you wish to continue it.
- Asiakastieto will charge 19,95€ for the ban. You can request it online from Asiakastieto
- Vastaamo promises to reimburse the victims of the data breach for the costs incurred by Asiakastieto’s credit ban and the Tietovahti service, which notifies a customer of credit information inquiries. A form for the reimbursement procedure will be made available at the Vastaamo website later. For more information, check the Vastaamo website.
- Bisnode credit ban costs 13,95€. You can request it online from Bisnode (in Finnish)
- A credit ban can prevent criminals from using your personal information for frauds. Using the personal identification number and other personal information, a criminal may be able to make small purchases or open other lines of credit in your name. This voluntary credit ban does not prevent you from buying in installments or requesting other credit. You’ll receive a separate certificate, which you can personally use to prove your creditworthiness despite the voluntary credit ban.
Request prohibition for address change with Posti free-of-charge
Request a registration ban from Finnish Patent and Registration Office (PRH) free-of-charge
- A registration ban will prevent fraud where you are registered as a responsible person for some company. When you request a registration prohibition from PRH, you can’t be registered as responsible for any company or registered organization.
- You can request the prohibition as instructed by the Finnish Patent and Registration Office (in Finnish).
Consider prohibiting passing of your information from Finnish Population Information System
- If your information has changed after the breach, it may be a good idea to protect your current contact details. This would prevent anyone from obtaining updated information on you from the system.
- Finnish Digital and Population Data Services Agency: Refuse allowing the release of your data (in Finnish).
Passwords and two-factor authentication
- Phishing and spam emails may increase and several parties my try to extort you. Cyber criminals may distribute and sell your information to other criminals and some may try guessing your passwords on different services. Make sure you have a strong password in all services and start using two-factor authentication if possible. You should also change the password of the email account which has been leaked.
- Instructions for creating strong passwords
- The longer your password is, the safer it is. Good minimum length is 16 characters.
- Use both small and capital letters combined with special and numeric characters.
- Typos, dialects, spoken idioms and other “broken words” make your password / passphrase stronger.
- Use a unique password for every service.
- Be especially careful with important passwords, like the email account password that can be used to reset other passwords.
- Never reveal your passwords to anyone! Official authorities will never ask you to disclose your password!
- Start using a password manager software so you won’t need to remember your passwords. For example, the Finnish F-Secure ID Protection or open source KeePassXC are solid programs for this.
- Start using two-factor authentication on all services, such as email or social media sites. Two-factor authentication is usually mandatory in banking services. Two-factor authentication confirms your identity using two separate methods. While SMS is possible, a special authentication app is recommended, such as Google Authenticator (Android,iOS) or Microsoft Authenticator.
Check your insurance policy
- Many home insurances provide limited legal assistance for victims of an identity fraud. The data privacy legislation may give you a right for damage compensation.
Make a Subject Access Request to get a copy of your personal data from Vastaamo
- According to European General Data Protection Regulation (GDPR), you have the right to know what data Vastaamo has collected about you. This can help you decide what you want to do next.
- Contact Vastaamo with their request for access to personal data -form. More information about Vastaamo Data Protection is available from their website. (in Finnish)
- Understand that it may take several weeks to get an answer.
Remove your information from billing services and prohibit service usage
- Billing service companies may allow making purchases with very little authenticating information about the invoiced person. Ask the billing service company to remove your personal information, as is your right under GDPR regulations.
- For contact information of billing service companies, consult their web pages and privacy documentation.
- Update: Klarna has informed (in Finnish) that they are now checking credit bans at Asiakastieto and Bisnode in real time and thus consumers do not need to apply for a separate ban for Klarna purchases.
- You can prohibit the operator (DNA, Telia, Elisa and others) from passing your address and other information.
- To limit changes without official identification, you will have to visit their service point in person.
Your Right to be Forgotten from search results
- Was it your work email instead of your personal email? Contact your employer. For example, talk with your human resources manager. You may get support.
- Consider special non-disclosure for personal safety. This is a special protection for cases with a serious threat of physical violence. Talk with the police.
- Monitor your digital footprint actively in the future. You can use Have I been pwned? -service to notify you if your information has been leaked publicly. The service is maintained by the security expert Troy Hunt. Alternatively, you can use the Identity Theft Checker from Finnish F-Secure or the Finnish Badrap.io service.
- You can use Google Alerts for your own name. The service sends an email if the keyword you provide it appears in Google Search results. Keywords to be used can be e.g. your own phone number, name and email address.
- If you receive a registered letter, authenticate it’s sender before you sign it as received. The sender might be a criminal who wants to verify your address.
Where to get help in a crisis?
Vastaamo crisis phone
National crisis helpline
- National Crisis Helpline in Arabic and English available Monday and Tuesday from 11 to 15, Wednesday from 13 to 16 and 17 to 21, Thursday from 10 to 15 at 09 2525 0113.
- More information from Mental Health Finland website.
Church conversational help
- Church conversational help is available through phone, chat, email or letters.
- Via Letter: Write a letter and send it to address: Palveleva kirje, PL 210, 00131 Helsinki. If you want a reply, please include your name and address information.
- Via Phone: 0400 22 11 80, available every night from 18 to 24. Your operator will charge normal phone call fees.
- Via Chat: Conversations are confidential. The person contacting is seen by the duty officer as anonymous. Chat is available from Monday to Friday from 12 to 24. Link to the chat is available at Church conversational help website.
Victim Support Finland
City of Helsinki provides help for residents around the clock
Check your municipality’s emergency social and crisis services
- Familiarize yourself with your own municipality’s emergency social and crisis services at e.g. your home municipality’s website.
The Consumer’s Union of Finland’s open counseling for consumers and patients
Questions and answers to the victims of the data breach
If you have any information that could help the Police investigation, you can send them a tip online. Understand that this Net Tip is not for reporting criminal offences! You can give the tip at the Police website.
This document has been created in co-operation with the Finnish Police, Finnish Criminal Sanctions Agency, Finnish National Cyber Security Center, Confederation of Finnish Industries and cyber security professionals of KyberVPK.
Are we missing something? Any comments? Don’t hesitate to contact us at firstname.lastname@example.org
The article will be updated as necessary.