I thought the whole point is that they were upset that their personal life was being broadcasted to the internet.
[1] https://en.wikipedia.org/wiki/Vastaamo_data_breach#Backgroun...
The article cites "Ryan" as one of his aliases, so the id ryanlol commenting in this thread could plausibly be Kivimäki.
The results are what you might expect if you decided to just use dailymail.co.uk as a source, similar to the creator of malicious trojan virus Python being arrested https://www.dailymail.co.uk/news/article-2124114/Computer-ha...
>Pearson coded trojan viruses, called Zeus, SpyEye and Python, to automatically scour the internet in search of personal details.
Says the guy that went on a news broadcast (unmasked) to brag about hacking Sony.
$ tar cvf /var/www/html/vastaamo/vastaamo.tar . -C /var/www/html/vastaamo --exclude vastaamo.tar
-C, --directory=DIR
Change to DIR before performing any operations. This
option is order-sensitive, i.e. it affects all options
that follow.I can't put my finger on why, but the faux "aw shucks, our hands are tied" makes me even more pissed off by the fact that they're leaking people's therapy notes. Just come out and say you're an amoral money seeker.
There _should_ be a bunch of people in jail for that. Including, but not limited to the CEO. It should also include all the people on the org chart between whoever set that database up and the CEO.
"In April 2023, Tapio was found guilty of criminal negligence in his handling of patient data. His conviction was overturned on appeal in December 2025. (He declined my requests to interview him.)"
More specifically, he was charged of a data protection crime (i.e., note that in Finland these GDPR-like things are also in the criminal law). However, based on local news, I suppose there was not enough evidence that it was specifically a responsibility of a CEO or that CEO-level gross negligence occurred.
> The appellate court rejected the prosecution's argument and dismissed all charges. In its unanimous decision, the court stated that neither the GDPR nor the applicable Finnish healthcare legislation required encryption or pseudonymisation of patient data at the time in question.
> Prosecutors alleged that Tapio knew about the March 2019 breach and failed to act. They claimed he neglected legal obligations to report and document the incident and did not take sufficient steps to protect the database. Tapio denied the claims, saying he was unaware of the breach until autumn 2020 and had delegated technical oversight to external IT professionals.
> The court found there was no clear legal requirement at the time obliging Tapio, as CEO, to take the specific security measures cited by the prosecution. These included firewall management, password policies, access controls, VPN implementation, and security updates.
> According to the ruling, the failure to adopt such measures did not, in the court’s view, constitute criminal negligence under Finnish law.
> Tapio’s conduct during and after the 2019 breach did not meet the threshold for criminal liability, the court concluded.
[1] https://www.helsinkitimes.fi/finland/finland-news/domestic/2...
It isn’t absolutely everything, it’s for negligence. If you don’t have basics in place, like independent pen-tests, ISO 27001 audits — or some equivalent — when you’re handling clinical data, then that’s negligence.
If a breach happens and you were seen to have followed best practice, you won’t be found criminally negligent.
That is part of being an executive. The buck stops with you — if you’re an executive, you’d better understand your obligations, you get the big bucks for a reason, it isn’t just a fancy job title.
Other people in the organisation can be held accountable for criminal acts, but when it comes to criminal negligence, it’s the executives that are liable, because it’s a systemic failure and you’re deemed to be in-charge of the system.
In Finland? Notably wage-compressed Finland?
No comment on the specifics of this case, I agree with you that the executive should be where the buck stops. But you would be surprised how many various execs I have met here over the years who admit behind closed doors they really do treat it as a fancy job title that barely pays above their last position, but comes with 3x the stress, and they do it simply because, well, someone has to. You can't really be surprised that most of the folks here who you might want to be in the C-suite decide it's just not worth it, that remaining a middle manager or even an IC is simply a far better value proposition.
The compensation really didn’t match what you take on in terms of responsibility and legal liability. The stress was significant too. That said, as you point out, the work needs doing.
Recommended if you have an over-active sense of duty, not otherwise.
So if not the CEO, who is accountable when something like this breach happens? The CTO? The PM The DBA? Nobody? Maybe they’ll care developer who wrote the code or botched the configuration should be prosecuted?
CEOs can justify their pay be being accountable for what their company does. They’re the CEO, after all. Maybe they’ll care more when they have some actual skin in the game.
Being the CEO of a company that handles risky, sensitive things should be risky for the CEO, personally. And their compensation can reflect that.
Provide Legal Exculpation and Sign Everything
https://how-i-met-your-mother.fandom.com/wiki/Provide_Legal_...
If that is not created -> CEO responsibility.
If that is not followed -> top level mgmt responsibility.
And so on, further down the chain.
So they're saying this is not the case?
But luckily this sort of thing never happens in the public sector. Except for when it does: https://yle.fi/a/74-20094950
However I don't see any municipality in Finland getting fines
From that link we can see that the UK fined its own Ministry of Defence 400,000 EUR.
However it appears that Finish public bodies are deemed above reproach by their government.
Yes it was. The company was fined 20M EUR on standard GDPR-basis and went bankrupt (but unlikely due to the fine alone). Please re-read the above discussion.
The CEO should be in prison.
Legally speaking, yes in every place I've ever lived if all those things are the case it's still a burglary, although the cops may call the victim an idiot.
"Breaking and entering" it's a criminal offence, and walking through an unlocked front door back door doesn't count. If you are on someone's land but didn't have to break in then that's trespass, which is just a civil offense.
Theft is a crime in any case (indeed even if you're not on their land e.g. snatching a phone off the street).
Yes there is:
https://www.legislation.gov.uk/ukpga/1968/60/section/9
https://www.college.police.uk/guidance/residential-burglary/...
> "Breaking and entering" it's a criminal offence, and walking through an unlocked front door back door doesn't count.
No breaking and entering is known as burglary. Also if you walk through the front door with the intent to commit a crime it is still burglary. The important part is trespassing with the intent to commit a crime.
See https://www.legislation.gov.uk/ukpga/1968/60/section/9 and https://www.cps.gov.uk/prosecution-guidance/theft-act-offenc...
Burglary is defined in the Theft Act 1968:
https://www.legislation.gov.uk/ukpga/1968/60/section/9
The door can be wide open. The important parts are you are trespassing with the intent to commit a crime.
It's an odd position to take, that a crime was not committed or the offense isn't as bad if the difficulties of committing the crime have been removed or reduced.
Not really, intent is a part of the crime. If the barrier for crime is extremely small, the crime itself is less egregious.
Planning a robbery is not the same as picking up a wallet on the sidewalk. This is a feature, not a bug.
Yes, it’s still wrong to take things but the guy should get like community service teaching white hat techniques or something. The CEO should be charged with gross negligence, fraud, and any HIPPA/Medical records laws he violated - per capita. Meaning he should face 1M+ counts of …
When people from high-trust societies move to a low-trust society, they either adapt to their new environment and take an appropriately defensive posture or they will get robbed, scammed, etc.
Those naïfs from high-trust societies may not be morally at fault, but they must be blamed, because they aren't just putting themselves at risk. They must make at least reasonable efforts to secure the data in their custody.
It's been like this for decades. It's time to let go of our attachment to heaping all the culpability on attackers. Entities holding user data in custody must take the blame when they don't adequately secure that data, because that incentivizes an improved security posture.
And an improved security posture is the only credible path to a future with fewer and smaller data breaches.
Using posture is a kin to modeling or showing off clothes, the likes of which will never see the streets. Let’s all start agreeing that the term is a rug cover for whatever security wants it to be. Without checks and balances.
If your posture is having your rear end exposed and up in public then…
The Internet is a dark street in rural India and your dumbass company is a pretty young white woman walking around naked and alone at 2AM. It's not your fault morally if someone rapes you, but objectively you're an idiot if you do not expect it. Now, you getting raped doesn't just hurt you; it primarily hurts people your company stores data about. Those rapists aren't going away, so we need you to take basic precautions against getting raped and we're gonna hold you accountable for doing dumb shit that predictably leads you to getting raped.
> If your posture is having your rear end exposed and up in public then…
Right, that is most companies' current security posture: Naked butt waving in the air. "Improving your security posture" is just a euphemism for "pull your pants up and put your butt down".
> Using posture is a kin to modeling or showing off clothes, the likes of which will never see the streets. Let’s all start agreeing that the term is a rug cover for whatever security wants it to be. Without checks and balances.
No, I will not agree with that; that's ridiculous. "Improve [y]our security posture" is not some magic talisman used to seize unchecked power within an organization. It's basically just the Obama Doctrine brought to computer security: "Don't do stupid shit".
Is it still a crime if the roadblocks to commit the crime are removed? Even applauded by some? What happens when the chief of police is telling you to go out and commit said crimes?
Law and order is dictated by the ruling party. What was a crime yesterday may not be a crime today.
So if all you did was turn a key and now you’re a burglar going to prison, when the CEO of the house spent months setting up the perfect crime scene, shouldn’t the CEO at least get an accomplice charge? Insurance fraud starts the same way…
https://www.patientsafety.com/en/blog/human-error-retributiv...
And once you break a security barrier, you're breaking the law. Even GDPR doesn't help you there - that just ensures more people are breaking different laws. And this can get all your devices seized, land you in jail, end your career, cause thousands of Euros of equipment loss, because the new laptop naturally got lost in the return process after 6 - 12 months.
And thus, many people with the skill to find such problems and report them silently to get them closed do ... nothing. Until bad people find these holes and what the article describes happens. And Europe has hacker groups who could turn our cybersecurity upside down in a good way. Very frustrating topic.
> At the end of the trial, however, this had little impact on the verdict. The presiding judge stated for the record that the mere fact that the [publicly available] software had set a password for the connection meant that viewing the raw data of the [publicly available] program and subsequently connecting to the [publicly available] Modern Solution database constituted a criminal offense under the hacker paragraph.
Yes, taking publicly available data verbatim (no ROT13, nothing) and talking to a publicly available server on the internet can in fact be a criminal offense.
> Der Vorsitzende Richter gab zu Protokoll, dass alleine die Tatsache, dass die Software ein Passwort für die Verbindung gesetzt habe, bedeute, dass ein Blick in die Rohdaten des Programms und eine anschließende Datenbankverbindung zu Modern Solution den Straftatbestand des Hackerparagrafen erfülle
> The Judge gave to protocol that just the fact that the software requires a password for the connection, implies that a look at the raw data of the program and a subsequent database connection is considered hacking.
So yes, entering an empty password can cause all of your electronic devices in all your registered residences to be seized as evidence.
Note that the decompilation is on the complexity level of "strings $binary".
There is no European country which does a worse job at both of these. Germany is easily the number one country in the world for "protocol is everything". It doesn't matter how detrimental and damaging the rules are, the rules are the rules, and they must be followed. This case is the millionth example. The rules are interpretable as it being illegal to access data with a publically available password using this password, so we're going to apply them, despite it being patently absurd. For the first point, German's reponse to Gaza (the slowest in all of the West) said everything.
I tend to refrain from being overly critical of journalists who write about me, but Joe Tidy is a special kind of idiot who wrote an entire book about me based mostly around interviews of people who aren't actually the people they claim to be.
If you choose to blindly believe what the prosecution claims, sure.
Should find out within the next couple of months if the appeals court decides to acquit.
Lol. At least it's a good reminder about bad opsec.
This rush to put everything online will destroy everyone's privacy even though privacy is the thing we all need.
The bad things that happened to you, and the bad thing you did, should be seen as somewhat outside our control.
I think of my worst google searches (nsfw stuff) and think: "Well, I'm just a chemical reaction."
But then again, I read the book A Billion Wicked Thoughts and found I'm pretty vanilla, we just don't talk about these things out loud.
Maybe my life is tame, but even when I hear from other people, everything seems pretty reasonable.
I know this is an 'after the fact' fix, but its a tool for our toolbox. We could look at people who criticize us as people who are ignorant of Determinism. (But we still need mechanisms to deter bad behavior)
Something tells me he'll try to sneak out of Finland (which is easy due to Schengen), purchase a new passport, and leave Europe.
I guess a silver lining here is the possibility that he'll commit crimes in countries with far harsher penalties than Finland.
I've lived in Finland myself, and currently live in Norway. Lax punishments for the sake of rehabilitation is the standard, and I'm fine with that. But some people, like this one, simply can't be rehabilitated.
I'm happy to take you up on this, but I feel like the stakes will need to be pretty high to justify all the effort involved.
>Something tells me he'll try to sneak out of Finland (which is easy due to Schengen), purchase a new passport, and leave Europe.
Why would I do that? I hold a valid Finnish passport, haven't had any trouble entering or exciting Schengen zone lately.
In my country they actually do put away people for life and yet we still have crime.
Apart from therapy, I expect a lot of sensitive and private information to be hacked and released in the next 10 years. Most importantly, all non securely encrypted text based communications.
Using your face or fingerprint to unlock things, which anyone can steal. Many people even have their retinal scans stored in their opticians' databases which won't be secure either as biometric ID.