Prime Minister Sanna Marin (SDP) says it’s already possible under Finnish law for someone to change their official identification number.
She was speaking before the start of the government’s monthly ‘night school’ session where ministers met at the House of the Estates in Helsinki with the Vastaamo data breach and blackmail attempts at the top of their agenda.
Some of the thousands of mental health patients who had their personal records stolen by hackers have voiced concerns about identity theft if their details are made available online – and some information has indeed already been posted on the dark web by hackers.
“With regard to personal identification numbers, we already have a provision in the law that it would be possible to change them” Marin told reporters.
“Now it is necessary to find out whether there’s a justification to use those provisions in this situation, or whether a change in legislation is needed which is a longer task.”
The PM has asked the Ministry of Social Affairs and Health to coordinate help for the victims of the data breach, however Marin says the Vastaamo case has highlighted the problems of having data protection and cyber security issues handled by several ministries.
In the future the whole subject could be concentrated as the responsibility of just one ministry.
Meanwhile Mikko Hyppönen, research director at online security company F-Secure, tells STT Finnish News Agency that he reckons only a few people have paid ransom money demanded by the data blackmailers.
Hyppönen had reached out on Twitter and asked people to let him know in strict confidence if they had paid any money, and he says that although he got a lot of contacts only a “really small” number of people paid up.
“There are people who have wanted to, knew how to, and managed to pay the ransom […] there are clearly more who would have liked to pay and have tried to pay but have failed for one reason or another” he tells STT, although he didn’t want to speculate how much money the blackmailers might have received, in bitcoins.
Last week it was revealed that tens of thousands of confidential patient records, including conversations with therapists, might have been taken by hackers in at least two security breaches at Vastaamo, a private mental health services company that operates in 20 Finnish cities.
Police have described the hacking operation as “exceptional by Finnish standards because of the sensitive nature of the information disseminated online.”
On Tuesday, Helsinki District Court put a temporary freeze on the assets of Vastaamo’s former CEO Ville Tapio and his parents, who used to hold a majority stake in the business, after papers were filed by the parent company of an investment group that bought them out.