Poor Cybersecurity Practices Can Mean Personal Criminal Liability for CEOs
“What do you mean having poor cybersecurity can get me in jail?” … is what probably went through the mind of the ex-CEO of a psychotherapy clinic in Finland. As a result of poor cybersecurity practices, and the ensuing breach, theft, and public distribution of confidential patient sessions’ recordings, this is exactly what a Finnish court decided to do in this situation. It’s really not a good strategy to ignore the risks, and this whole story shows exactly why.
Wait, Wasn’t the Company the Victim Here?
In what could be perceived at face value as a “blaming the victim for the crime” kind of situation, there are some nuances to this whole situation that led to this outcome and make the resulting prison sentence more justifiable.
Yes, on the surface, it may seem like the company was the victim of a cyberattack. However, the court’s decision to hold the ex-CEO accountable goes beyond that simplistic viewpoint. The details of this case reveal several key factors that contributed to the charges and the eventual suspended prison sentence.
First and foremost, the company failed to adhere to GDPR requirements concerning the pseudonymization and encryption of patient data. This oversight left the sensitive information of tens of thousands of patients vulnerable to theft and unauthorized access. The therapy center’s database stored patients’ personal information and session notes in plain language, without any form of adequate encryption. Consequently, the attacker could easily match individual therapists’ notes and medical records with patients’ personal details.
In addition, the court found that the ex-CEO’s actions were particularly reprehensible due to the scale of the data breach and the sensitive nature of the information involved. The court believed that the crime’s seriousness warranted an unconditional jail sentence. However, considering the ex-CEO’s clean criminal record and other circumstances, the court ultimately settled on a suspended sentence.
Moreover, the investigation revealed that the CEO and IT managers were aware of the security problems, the data breach, and the subsequent blackmail demands. Instead of reporting the incident to the authorities, the CEO ordered the concealment of any evidence related to the breaches and blackmail attempts. This failure to act and the attempt to cover up the incidents were significant factors in the court’s decision to hold the ex-CEO accountable. While the CEO’s sentence was the most relevant, he was not the only individual to be investigated for negligence in this situation, and other high-ranking company executives were also under scrutiny for their actions, or lack thereof, in ensuring that proper security measures were in place.
Impact from the Hack
The hack of the psychotherapy center, Vastaamo, was a massive data breach with far-reaching consequences for both the victims and the company. The attackers managed to steal highly sensitive information from tens of thousands of patients, including patient records, therapy session notes, diaries, diagnoses, and contact information. To make matters worse, some of these files were published on the dark web, exposing the victims’ most personal and confidential information to the public.
The impact on the victims was devastating. With their sensitive information compromised, many patients faced potential harm to their mental health, personal relationships, and professional lives. In an attempt to control the damage, the attackers demanded ransoms from both the company and individual patients and staff members. They threatened to leak more information if their demands were not met. However, the firm and the affected individuals refused to pay the ransoms.
In addition to the personal toll on the victims, the data breach had severe repercussions for Vastaamo as a company. The public exposure of the sensitive information and the company’s failure to secure and protect the data resulted in a loss of trust in the organization. Vastaamo, which had treated over 30,000 patients and served as a subcontractor to several major public-sector hospital districts, filed for bankruptcy in February 2021, just months after the breach came to light.
The Hacker and Their Activities
The hacker(s?) behind the Vastaamo data breach demonstrated a high level of sophistication in their activities. They managed to infiltrate the company’s systems and steal sensitive information of tens of thousands of patients. As the investigation unfolded, it was revealed that the hacker targeted Vastaamo in two separate data breaches in November 2018 and March 2019. However, due to the gap in time between the breaches and the extortion attempts, it is possible that the perpetrators of each crime may not have been the same.
Following the breaches, the hacker resorted to blackmail, demanding ransoms from the company and individual patients and staff members. They threatened to leak more sensitive information if their demands were not met. The attacker then published some of the stolen files on the dark web.
As the investigation progressed, authorities discovered that the main line of inquiry pointed outside of Europe. There has also been an extradition from France to Finland that appears to be directly related to this incident.
The ex-CEO of Vastaamo, Ville Tapio, became personally liable due to his failure to fulfill GDPR requirements concerning the pseudonymization and encryption of patient data. This failure in data protection left the sensitive information vulnerable and directly contributed to the data breach. Tapio’s actions (or lack thereof) played a significant role in the court’s decision to hold him accountable for the data protection crime. It has been reported that he was aware of the gaps in cybersecurity at the firm for two years prior to the incidents, and had failed to act towards closing those gaps, thus failing to maintain security of confidential information pertaining to the company’s customers.
Tapio was ousted from his position as CEO in the autumn of 2020, following the revelation of the data breach. His removal from the company’s leadership demonstrated the gravity of the situation and the impact of his poor cybersecurity practices. Tapio was subsequently charged with data protection offenses and brought to court.
During the trial, the court characterized Tapio’s actions as particularly reprehensible due to the scale of the breach and the sensitive nature of the information involved. The court believed that the seriousness of the crime would justify an unconditional jail sentence. However, after considering the matter as a whole and taking into account Tapio’s clean criminal record, the court decided to impose a three-month suspended sentence instead.
While Tapio avoided actual effective jail time, it is important to note that he was not acquitted. The suspended sentence is still a criminal penalty and has significant implications for his personal and professional reputation. The conviction may hinder his ability to secure future employment, particularly in positions of trust or authority, and could lead to long-lasting consequences in his personal life.
It Could Happen Elsewhere
As cybersecurity practitioners, CISOs, and IT professionals, this case serves as a stark reminder that poor cybersecurity practices can have severe consequences, including criminal charges and potential prison sentences. It is crucial to implement and maintain robust security measures, adhere to regulatory requirements, and promptly report and address any incidents that may arise. Ignoring the risks and failing to take appropriate action can lead not only to significant damage to your company’s reputation and financial standing but also to personal legal repercussions. So, don’t wait until it’s too late – invest in your organization’s cybersecurity now and protect your customers, your business, and yourself.