Advice and guidance for victims of data breaches

First steps for victims of the Vastaamo data breach

If you suspect that you may have fallen victim to the data breach, or if you received an extortion message, take the following steps:

Take care of yourself

• Don't panic. It is possible that all the kinds of personal data discussed in relation to the data breach have not leaked in your case. You are not alone, and help is available.
• If you currently have an ongoing treatment relationship with a healthcare professional, contact your doctor or therapist and arrange further treatment. It is important to ensure that currently ongoing treatment continues.
• If you need treatment, contact the emergency social and crisis services or municipal health centre of your municipality of residence.

Collect evidence

• If you have received an extortion message, take a screenshot of it and save it on your computer for a future investigation. Also make sure to keep the original message.

Do not pay the demanded ransom or otherwise communicate with the extortionist

• Paying the ransom helps perpetuate criminal activity. There are no guarantees that the cyber criminal will stop extorting you or refrain from publishing your personal information even if you pay the ransom.
• Do not communicate with the extortionist. It is probable that the information has already been leaked.

File a report with the police regarding the data breach and/or extortion

• Things to remember when reporting an offence for this particular criminal case (External link)
• Electronic reports can be submitted via the police website (External link)
• The service is available every day from 6.00 to 22.45.
• Underage people should also report any offences. Underage people may submit the report themselves or their guardian may file the report on their behalf.
• If you are unable to file a report, try again later.
• If you have received an extortion message, attach a screenshot of it to the electronic report. In case you are unable to file a report online, you can also visit the nearest police service point.

Consider the following when filing a report of an offence:

• Include the word “Vastaamo”.
• Mention to whom the possible extortion message was addressed.
• If your personal data has leaked and you know where it may have been published, include this information.
• Include information on any ransom demands, the stated method of payment and account number(s).
• Mention whether you have paid any demanded ransom.

Please use the Net tip service offered by the police if you have any other information concerning this crime

• Net tip website (External link)
• Please note that you should not use the Net tip service to report an offence.

Notify the National Cyber Security Centre Finland (NCSC-FI) of the information security breach

• You can submit a notification using the form provided by the NCSC-FI (External link) for this purpose.

Apply for a personal credit ban, can also be applied for underage people

• This prevents anyone from taking out credit in your name. In Finland, credit registers are maintained by Suomen Asiakastieto Oy and Bisnode Finland Oy.
• Underage people cannot take out loans in their own name, reducing the risk of misuse. There are no legal impediments to applying for a personal credit ban (‘oma luottokielto’) for an underage person.
• Suomen Asiakastieto Oy credit ban (External link)
• Bisnode Finland Oy credit ban (External link)
• Vastaamo will reimburse the cost of the Tietovahti service informing its users of requests made to check their credit worthiness and Asiakastieto’s personal credit ban to victims of the data breach. More detailed instructions are available on the Vastaamo website (External link).

Apply to Posti for a free-of-charge ban on address changes

• You can prevent your personal data from being used to change your address information by applying to Posti for address change protection. This also blocks any attempts to order products to another address in your name.
• Posti instructions: How to set a form block and activate moving protection (External link)

Apply to the Finnish Patent and Registration Office for a free-of-charge registration ban

• A registration ban helps prevent anyone from using your personal data to designate you as the responsible person of a company in the Trade Register, for example.

Change your password and enable two-factor authentication

• Ensure that all of your passwords are sufficiently long.
• Use two-factor authentication.

Review the terms of your insurance contracts

• Certain providers’ home insurance plans include limited legal assistance for victims of identity theft. You may have the right to compensation under the General Data Protection Regulation.

File an inspection request with Vastaamo regarding your personal data

• Under the General Data Protection Regulation, you have the right to know what personal data Vastaamo has stored on you.
• Contact Vastaamo directly via the inspection request form (External link) on the Vastaamo website (to be translated).

Have your information removed from any billing services and place a ban on their use

• Billing services such as Klarna may allow the purchase of products by invoice with very little personal information required. You can ask the billing service to delete your information on the basis of the “right to be forgotten” provided by the General Data Protection Regulation.
• The contact details of billing services can generally be found on their websites (e.g. in the privacy statement).

Contact your operator to hide your mobile subscription information

• You can have your telephone subscription information hidden in your operator’s e-services or by contacting your operator. It will usually take a few days for the information to be updated in directory assistance systems.

• DNA: self-service online (External link) and customer service contact (External link)
• Elisa: self-service online (External link) and customer service contact (External link)
• Telia: self-service online (External link) and customer service contact (External link)

Ask that your information be removed from search engine results

• You may have the right to have certain personal information removed from the Google and Bing search engines on right-to-privacy grounds.
• Google (External link)
• Bing (External link)

When the most important steps have been taken, you may also want to consider the following:

• Ban on disclosure of data from the Population Information System (External link)
• Ban on direct marketing. For more information, see the Data and Marketing Association of Finland website (External link) (in Finnish).

The above advice is based on a checklist published by the Community Cyber Response Force for those victims of the data breach who were Vastaamo customers before 2019.

The detailed checklist for the victims of Vastaamo data breach (External link) is also available in English.

Questions and answers for those whose information has leaked online

Finnish Transport and Communications Agency Traficom

• Questions and answers for victims of identity theft or data leaks (External link)

Digital and Population Data Services Agency

• Questions and answers for victims of identity theft or data leaks (External link)
• You can now block a notification of move online (External link)

Vastaamo 

Vastaamo is currently working with a number of authorities. In compliance with its obligations under relevant data protection legislation, Vastaamo will inform all customers whose data has been targeted by the information security breach.

• Common questions and answers on the data breach (External link)

What should I do if my personal data has leaked online?

Victim Support Finland

Victim Support Finland provides help and support for the victims of the Vastaamo data breach and their loved ones.

• Take the following steps if your personal data has leaked online (External link)

Office of the Data Protection Ombudsman

• Advice for the victims of the data leak (External link)

Community Cyber Response Force

The Community Cyber Response Force is a volunteer organisation formed by approximately 30 Finnish cyber security experts, which helps providers of critical services resolve and prevent cyber threats.

• Checklist for the victims of a data breach (External link)

Mannerheim League for child well fare

If you are experiencing anxiety, fear or sadness you can contact Mannerheim League for child well fare also. You can seek help anonymously. Your references won't be recorded. 

• Chat and telephone helpline for parents (External link)
• Chat and telephone helpline for children and young people (External link)

Who can help? See below for organisations providing assistance

MIELI Mental Health Finland

• See the MIELI website (External link) for a list of organisations providing assistance
• The MIELI Crisis Helpline is also available in English

Ministry of Social Affairs and Health

• List of key organisations providing help (External link)

Municipalities’ emergency social and crisis services

• Emergency telephone numbers accept calls 24/7.
• The calls and services are free of charge.
• For contact details, see the website of your municipality of residence.
• You can call the emergency social and crisis services if you are experiencing anxiety, fear or sadness. They can also help you assess your need for other services or crisis assistance.
• If you need longer-term support, they can direct you to other municipal services.
• You can seek help yourself, or a loved one can do it on your behalf.

Are you in need of telephone or chat counselling?

• For a list of organisations providing counselling services, see the “Find Help” page on this website.