Data breaches

Data breach means an unauthorised intrusion into an information system, service or device, or the unauthorised use of an application, such as an email account, with the credentials obtained. A data breach is a punishable offence as defined in the Criminal Code of Finland and an attempt to commit a data breach is also punishable. A mere unauthorised intrusion into a system meets the characteristics of a crime and does not require the exploitation of the target of a data breach or the data used there.

It is difficult to estimate the motive behind data breaches. However, the pursuit of financial gain is often behind it. For example, protected information in the system is valuable. The breached environment can also be used to distribute harmful material or the functioning of the breached environment can be paralysed with the use of ransomware. The attacker can use the breached environment as a part of other attacks, such as denial-of-service attacks.

The motive of the perpetrator may be, for example, harassment, blackmail, or even espionage by a state actor. Data breaches are done by criminals, state actors and even individual people. Data breaches happen constantly, but more severe cases are rarer. 

A large number of data breaches are detected each year. A large part of these are harmless breaches targeting social media accounts or online banking credentials stolen in various phishing campaigns.

The most significant change in data breaches is that attackers have developed the ability to fish for multi-factor authentication codes that are used in logging in. With the use of AI, the language of phishing campaigns has improved.

Stolen information may be published or the person holding the information can blackmail the victim by demanding a ransom. Criminal use can be harassment, blackmail or espionage. 

Data breaches against a private person can be used, for example, in identity theft, in which case the other person tries to impersonate the person who was the subject of the data breach. A data breach can also be purely intimidation. When a private individual is the victim of a data breach, they may experience problems with systems that are not working or personal information that has fallen into the wrong hands.

For a private person, the most effective way is multi-factor authentication and general information security. Multi-factor authentication refers to a method of identifying the user of the service that complements the use of a username and password. An example of complementary identification methods is the one-time password number cards used in online banks and the codes sent to a mobile phone. The attacker, who has received the username and password, must also obtain the single-use code for the multi-factor authentication in order to succeed in a data breach.

Personal information ending up in criminal hands can be a source of great concern. You can become the victim of a data breach even if you had done everything right. 

The NCSC-FI guide for private persons to protect yourself against data breaches (External link) 

The NCSC-FI guide for organisations to protect yourself against data breaches (External link) 

The purpose of NCSC-FI’s CERT, i.e. Coordination Centre, activities is to prevent and investigate information security incidents and to disseminate information on information security matters. CERT handles information security incident reports and supports the organisations which have made the report in investigating the incident. The NCSC-FI also distributes information to citizens and on its part guides individuals on what they can do if their information has been the target of a data breach or a leak.