NBI suspects crime in Helsinki City´s data protection measures

The National Bureau of Investigation (NBI) has started a criminal investigation into the activities of the City of Helsinki in relation to the data breach detected in spring 2024, said NBI in a press release on Thursday.

The investigation was opened on the basis of the NBI's preliminary inquiry into the matter.

In the preliminary inquiry, the NBI investigated whether any such intentional or grossly negligent action took place in the protection of the compromised data that would give reason to suspect an offence in the matter.

“The material examined was extensive. We received the last pieces of material at the turn of the year and, early this year, we were able to make an assessment as to whether there is reason to suspect an offence in the matter,” said Head of Investigation, Detective Chief Inspector Marko Leponen of the NBI.

The aim of the criminal investigation is to establish whether the City of Helsinki had appropriate data protection measures in place. It is currently suspected that a data protection offence was committed in the matter. The data breach which targeted the City's information systems is investigated as a separate case.

“The criminal investigation is in its early stages, and no suspects have been named yet. One of the main objectives of the investigation is to establish the persons' roles in protecting the data, before naming possible suspects. Several different actors are responsible for the information systems of the City of Helsinki,” said Leponen.

A comprehensive IT investigation is carried out during the criminal investigation, and the parties are interviewed to identify the roles and responsibilities of different persons. The names of offences may be specified as the investigation goes on.

On May 2, 2024 the City of Helsinki issued a notice of a data breach, which took place on April 30 and launched an extensive investigation into the incident.

With progress made on the investigation into the data breach, it has emerged that the perpetrator may have gained access to a larger amount of information on the customers of the Education Division’s services.