"Jazz police are looking through my folders. Jazz police are talking to my niece. Jazz police have got their final orders. Jazzer, drop your axe, it's jazz police!"
> "Unfortunately, we have to ask you to pay to keep your personal information safe.”
I can't put my finger on why, but the faux "aw shucks, our hands are tied" makes me even more pissed off by the fact that they're leaking people's therapy notes. Just come out and say you're an amoral money seeker.
"the patient records database was accessible via the internet; there was no firewall and, perhaps most egregiously, it was secured with a blank password, so anyone could just press enter and open it"
There _should_ be a bunch of people in jail for that. Including, but not limited to the CEO. It should also include all the people on the org chart between whoever set that database up and the CEO.
He’s done less than seven years of time, shows no remorse and even denies doing it in the first place. You dropped the ball on this Finland, don’t be surprised when he does it again. What a disgusting human being.
I'm a broken record about this by now, but stories like these keep reminding me how broken the law is for ethical hackers in Germany. If an ethical hacker found something like this in Germany, it would from my knowledge not be clear if entering an empty password counts as "circumventing or breaking a security barrier". "No password barrier" has recently been clarified in courts, but "Static Password" hasn't.
And once you break a security barrier, you're breaking the law. Even GDPR doesn't help you there - that just ensures more people are breaking different laws. And this can get all your devices seized, land you in jail, end your career, cause thousands of Euros of equipment loss, because the new laptop naturally got lost in the return process after 6 - 12 months.
And thus, many people with the skill to find such problems and report them silently to get them closed do ... nothing. Until bad people find these holes and what the article describes happens. And Europe has hacker groups who could turn our cybersecurity upside down in a good way. Very frustrating topic.
Knowing the timeline of events and the nicknames attributed to him (ryanlol included), some interesting posts can be found. For example, in the period between the CEO starting communication (September 2020) and the clinic's public admission (October 2020) [1], ryanlol replied to a top comment (Oct 3, 2020): "If you’re a hospital or, say, a school district, 'never pay' is simply an unconscionable attitude" [2]. Isn't it a hacker raging at the management that refuses to pay?
I find it strange to report on a hacker releasing personal information, while building the narrative of the story with all of the personal details like "she’d had three children by the time she was 25, including twins who had been born extremely prematurely in the 1980s, weighing only a few hundred grams each", "crumbling marriage", and suicidal ideations.
I thought the whole point is that they were upset that their personal life was being broadcasted to the internet.
As per (AFAIK) this hacker's rant on some Tor-based image board, he gloated the login credentials to the Vastaamo's systems were admin:admin. So much for 'hacker god'. This is a Hackers (1995) tier vulnerability. Also, it's sickening that YOLOing security to this extent is even possible in 2020s.
FYI: Finnish "social security numbers" (really, personal identification number) are not in any way secret. They are not used like U.S. social security numbers.
Finnish personal identification number is your date of birth, a sequence number, and a checksum.
28 comments
[ 0.24 ms ] story [ 46.5 ms ] threadLol. At least it's a good reminder about bad opsec.
I can't put my finger on why, but the faux "aw shucks, our hands are tied" makes me even more pissed off by the fact that they're leaking people's therapy notes. Just come out and say you're an amoral money seeker.
There _should_ be a bunch of people in jail for that. Including, but not limited to the CEO. It should also include all the people on the org chart between whoever set that database up and the CEO.
And once you break a security barrier, you're breaking the law. Even GDPR doesn't help you there - that just ensures more people are breaking different laws. And this can get all your devices seized, land you in jail, end your career, cause thousands of Euros of equipment loss, because the new laptop naturally got lost in the return process after 6 - 12 months.
And thus, many people with the skill to find such problems and report them silently to get them closed do ... nothing. Until bad people find these holes and what the article describes happens. And Europe has hacker groups who could turn our cybersecurity upside down in a good way. Very frustrating topic.
There were multiple failures here, but a single step could've prevented the entire hack: industry-standard encryption of the sensitive information.
This rush to put everything online will destroy everyone's privacy even though privacy is the thing we all need.
The article cites "Ryan" as one of his aliases, so the id ryanlol commenting in this thread could plausibly be Kivimäki.
[1] https://en.wikipedia.org/wiki/Vastaamo_data_breach#Backgroun...
[2] https://news.ycombinator.com/item?id=24672687
I thought the whole point is that they were upset that their personal life was being broadcasted to the internet.
Finnish personal identification number is your date of birth, a sequence number, and a checksum.