Insights from Helsinki: NCSC-FI’s Contribution to Mitigating a Major Data Breach

A data breach in 2024 that affected Helsinki, Finland’s capital and largest employer, exposed sensitive personal data of over 300,000 individuals, providing significant lessons for cybersecurity professionals.

This incident was the focus of a year-long investigation by the Safety Investigation Authority of Finland (SIAF/OTKES), culminating in the release of its technical report on June 17, 2025. Matias Mesia, a senior specialist at Finland’s National Cyber Security Centre (NCSC-FI), headed the task force that assisted Helsinki in recovering from the breach.

At the FIRSTCON conference in Copenhagen held on June 23, Mesia shared insights on the breach and the strategies implemented to contain and mitigate it, offering practical guidance for others facing similar challenges in cybersecurity.

Insights on Helsinki’s 2024 Data Breach

Helsinki, with approximately 40,000 employees and a budget ranging from €4-5 million ($4.6-5.8 million), stands as the largest employer in Finland. As of March 2025, the city was home to 686,595 residents, accounting for 12% of the nation’s population.

On April 30 at 11:30 PM, personnel from the City of Helsinki reported a potential data breach to NCSC-FI. Following initial media coverage the next day, the city publicly disclosed on May 2 that the breach impacted its Education Division, known as KASKO.

Within days, an investigation was launched by the City of Helsinki, NCSC-FI, and a private digital forensics and incident response (DFIR) partner. The investigation identified the compromised device as a Cisco ASA 5515 firewall appliance, serving as a VPN connection router. This device, installed in 2014, had not been updated since 2016, and key personnel responsible for maintaining it had left the organization in 2017.

The attack began with brute force techniques, followed by a vulnerability exploit through a remote connection using Cisco AnyConnect software. The device crash allowed the attacker, who used credentials sourced from the dark web, to move laterally within internal systems and gain privileged access to Microsoft Active Directory, a virtualization server, and a backup server, resulting in significant data theft.

Initially, Helsinki estimated that 120,000 individuals might be affected, later revising this figure to 15,000, and ultimately determining that over 300,000 people were impacted. The victims encompassed city employees, childcare benefit applicants, private school staff, students in integration training, and individuals born between 2055 and 2018, along with their relatives.

Furthermore, there was no indication that passwords were compromised, nor was a ransom demand issued. Law enforcement continues to investigate the incident, and attribution remains undetermined.

Role of NCSC-FI in the Incident Response Process

The Helsinki data breach was categorized among the 18 cases where NCSC-FI provided a high level of involvement, referred to as ‘special cases.’ The agency began supporting Helsinki on May 9, 2024, deploying between 10 and 20 staff members throughout the investigation, with half dedicated to technical remediation while others focused on compliance, communication, and breach reporting.

NCSC-FI offered advisory services for the investigation, aided in organizing a public press conference, provided tailored scenarios, and coordinated an expert seminar for management teams and security specialists from Finnish municipalities at the end of May 2024.

On May 30, 2024, an internal session on ‘lessons learned’ was conducted, which resulted in five thematic reports covering organization, coordination, leadership, case coordination, technical aspects, legal considerations, and communication strategies. NCSC-FI continued to assist until late June 2024, at which point the investigation had stabilized.

In July 2024, the SIAF commenced its forensic investigation.

Lessons Learned and Upcoming Developments

During a discussion post-conference, Mesia outlined three main takeaways from the Helsinki breach:

• Cyber incidents involving compromised edge devices, particularly those that are unpatched or obsolete, should be classified as critical incidents.
• Organizations must be prepared for the logistical demands of incident response and business continuity, including the establishment of communication protocols and operational templates.
• Task forces should be comprised of diverse expertise, blending individuals with experience in past cyber incidents and those without.

Mesia also offered practical tips for incident responders:

• Maintain clarity in communication channels—avoid informal chat and distractions.
• Encourage collaboration and delegation of tasks among team members.
• Utilize timelines to effectively communicate incident progression to leadership.
• Conduct frequent network scans.
• Share information about incidents beyond the immediate response team to prevent misinformation.
• Exercise caution with sensitive information.
• Respect the dynamics of politics and media interactions surrounding incidents.

Lastly, the Helsinki incident prompted NCSC-FI to develop a three-tier system for classifying cyber incidents to determine resource allocation effectively. This framework is expected to categorize incidents according to a priority scale: medium, high, and critical, which will govern how many personnel are assigned to each case. The introduction of this framework is slated for presentation at the next FIRSTCON conference.