Thedata breach targeting the City of Helsinki shows that these offences require anew approach to preparedness, communication and data breach prevention in thepublic sector

Cyber crime is a growing area of criminality that causes significant harm – especially in the current situation of hybrid threats. Public administration is an attractive target for criminals because of the quality and quantity of data it possesses. The public sector's response to cyber crime threats still has room for improvement, as the methods for detecting attacks and vulnerabilities are not in sufficiently wide use.

Information management, information security and data protection in public administration are steered by several different authorities. These authorities perform their steering duties independently, each from the perspective of its specific tasks. The guidance received by information management entities is fragmented and the statutes and instructions are applied to a variable degree in practice. The authorities' work additionally focuses on guidance, whereas there is little supervision of the actors. Data lifecycle management is a central element of information security and data protection, however. The public sector's capabilities for responding to cyber threats can be strengthened by developing methods for detecting attacks and vulnerabilities and expanding their use.

“When striving to prepare for and prevent incidents like a data breach, we face a new situation in many ways. We have traditionally relied on cooperation between authorities in Finland. However, the prevention measures of cyber incidents are decentralised, while the public sector depends to a great extent on the expertise and availability of private sector actors for investigating and managing data breaches. For example, such cooperation mechanisms as the SAR activities have not been put in place for data breach cases. A lot is also left to the victims,” says Hanna Tiirinki, Head of the Investigation Team.

“We also need to rethink the definition of a victim. We use different databases and services nearly every day, almost without noticing it. Local government holds a wide range of personal data concerning us. In cyber incidents, the attacker can store large amounts of data for later use. Such combinations of different types of data are a particular vulnerability from victims' perspective. In case of a data breach, the risk of the data being later used for harmful purposes, including identity theft and fraud, must always be recognised – and such groups as young people may not fully understand what could happen to their data when they become adults", Tiirinki adds.

The national Cyber Security Act, which implements NIS2, or the Network and Information Security Directive 2, entered into force on 8 April 2025. In Finland, however, municipalities and cities have extensive self-government, and the scope of NIS2 does not extend to them.

"NIS2 does not apply to local government in Finland. The recommendations given following the investigation now seek to fill in this gap”, Tiirinki notes.

Under NIS2, organisations are obliged to issue an early warning about an incident within 24 hours. Communication is an essential part of protection measures in data breach cases. Communication reduces uncertainty, prevents the spread of misinformation and ensures that victims receive the support they need. The accessibility, coverage and comprehensibility of communication are of paramount importance.

“Such target groups as children and young people should also be taken into consideration – and age-appropriate communication should be targeted at them. It is typical of crisis communication and incident warnings that you often need to operate with insufficient information to start with as the situational picture is being constantly added to. The fact that the information is initially insufficient should not be an obstacle to communication”, Tiirinki stresses.

“We should also note that local sector actors have major differences between them, they are not all the same. While some already have a very good level of preparedness, others still have a bit to do. In international comparisons, Finland has a really good track record in preparedness. We have also become alert to the problem in the aftermath of data breaches and made efforts to rectify it. Consequently, we are already doing a lot to prevent and counteract incidents like this data breach,” Tiirinki points out.

Four recommendations were issued as a result of the investigation. They are mainly addressed at the Ministry of Finance, which is responsible for implementing them together with the Ministry of Justice, Ministry of Transport and Communications, Finnish National Agency for Education and the Association of Finnish Local and Regional Authorities. In addition to developing communication guidelines, the recommendations concern coordination and monitoring of information management as well as instructions issued for it. The recommendations additionally draw attention to improving the detection of information security shortcomings in public administration and building up capabilities in this respect, making it possible to observe and address these shortcomings.

Comment of the national information security authority:

National Cyber Security Centre Finland at the Finnish Transport and Communications Agency Traficom: "In our capacity as the national information security authority, we assist and advice companies, other authorities and citizens in preparing for and recognising current and future cyber security threats. Traficom's Cyber Security Centre has supported the City of Helsinki comprehensively since the data breach was detected, and we will continue to work together with the City and service providers", says Samuli Bergström, Director of CSIRT at Traficom's Cyber Security Centre.

"The importance of communication is highlighted in a cyber attack. Traficom's crisis communication guideline published in spring 2025 contains information on different types of cyber attacks and the ploys and methods used by criminals. The guideline also gives tips for preparedness in the field of communication and for communicating during and after a cyber attack", Bergström continues.

Other investigations of the data breach targeting the City of Helsinki:

The National Bureau of Investigation: The pre-trial investigation of the data breach that targeted the City of Helsinki is conducted by the National Bureau of Investigation. The case is investigated as aggravated unlawful access to an information system. As part of the pre-trial investigation, the National Bureau of Investigation also seeks to establish if the City has protected its data appropriately. In this investigation, the title of the offence is suspected data protection offence.

The Office of the Data Protection Ombudsman investigates the personal data breach from the perspective of compliance with data protection legislation. This investigation has a particular focus on determining if the City of Helsinki had sufficient safeguards in place and if it has ensured that the rights of the data breach victims are realised. This investigation is pending, and the Data Protection Ombudsman is currently assessing the account of the incident received from the City of Helsinki.

Where to get help?

Victim Support Finland has published advice for victims of a data breach or data leak on its website. The website stresses the importance of following instructions issued by the authorities as well as putting the necessary bans in place to prevent the fraudulent use of personal data. Victim Support Finland also provides counselling. Its services are free.

1. Under the law, the investigation of an exceptional event may concern a very serious event that was not an accident and which resulted in death or that threatened or seriously damaged basic functions in society Safety Investigation Act of Finland 525/2011.
2. SAR: Search and Rescue.

Link to summary and investigation report

Language versions below

Further information:

Hanna Tiirinki, Head of the Investigation Team, tel. 02951 50747, [email protected]
Additional telephone numbers +358 2951 50738 or +358 50345 1931. The telephone line set up for the investigation will be available until 1 August 2025.

After 1 August, please email any questions to [email protected] or directly to the Head of the Investigation Team.