Quick quit Skip to content

What to do if your personal data has been leaked online

Last updated on 28 October

Victim Support Finland is providing assistance and support to victims of the recent data breach and to their families.

Psychotherapy Center Vastaamo has been the victim of a major data breach in which sensitive customer information has been disseminated online.

Victims of cybercrime can contact Victim Support Finland for conversational support and practical advice in criminal matters:

  • The Victim Support Finland helpline at +358 116 006 serves customers from Monday through Friday at 9–20 in Finnish and at 12–14 in Swedish. Calling the service is free of charge. If you wish to contact the service in English, please use the contact form.
  • The RIKUchat online service is open on weekdays at 9–15 and also on Mondays at 17–19. RIKUchat
  • The helpline of the Finnish Red Cross is open on Sunday 25 October at 15–21 at +358 800 100 200. The helpline provides crisis assistance to victims of the data breach. Starting on Monday, you can call the helpline at 9–21. Finnish Red Cross (press release in Finnish)
  • The National Crisis Helpline also offers round-the-clock assistance at +358 9 2525 0111. Crisis Helpline

The Cyber Security Centre has published guidelines on what to do if your personal data has been disseminated online or if someone is threatening to disseminate it: Questions and answers for victims of identity theft or a data leak

Vastaamo Data Breach: Information and Actions for Victims

Advice for victims

Seek help and get peace of mind

The following tips are designed to help you to avoid further unpleasant consequences and feel more in control. Once you have taken the steps to protect your data, it is time to focus on feeling good about yourself again. Make a list of what you have already done and what you still need to do.

Remember that you are not alone and that help is available. Talking about the situation with your family and friends or to a professional can be helpful. Try to identify the worst thing that could happen to you as a result of the breach and how you would cope with that scenario. A data breach is always a shock, but help is available.

If you have received a notification from Psychotherapy Centre Vastaamo stating that your data has been stolen, you should report the offence to the police.
Police: File a police report

If you see your personal data published somewhere online, take screenshots as evidence and report the offence to the police.

If someone is threatening to disseminate your data or is using it to extort you, take screenshots of the messages as evidence and report the offence to the police. Do not pay the extortionist.

A credit ban is a good way to prevent fraud involving the misuse of your personal data. Using your personal identity code and other data, an offender may be able to make hire purchase transactions or take out a loan, for example. You can prevent these fraudulent offences by applying for a credit ban. A self-imposed, fixed-term credit ban will not prevent you from making hire purchase transactions or taking out loans. You will receive a separate document indicating that you are creditworthy regardless of the self-imposed credit ban. There are two different operators maintaining credit data files in Finland, and we recommend applying for a credit ban with both of them:
Asiakastieto: Credit Ban (in Finnish)
Dun & Bradstreet (former Bisnode): Credit Ban (in Finnish)

By applying for a registration ban, you can prevent another person from entering your personal data in the trade register as the person responsible for a company, for example. When you apply for a registration ban with the Finnish Patent and Registration Office (PRH), your personal data cannot be entered as the person responsible for any company or corporation.
Finnish Patent and Registration Office (PRH): Registration ban (available in Finnish and Swedish)

To prevent others from making a change of address using your personal data, you should apply for change-of-address protection with Posti and the Digital and Population Data Services Agency (DVV). You can request change-of-address protection if your personal data has been stolen, for instance. While you are protected, no one can make a change of address or order mail delivery interruption using your personal data. This means that no one can order items to another address in your name. You can apply for change-of-address protection with Posti online

You can apply for a change-of-address ban with the Digital and Population Data Services Agency (DVV) through Suomi.fi messages. In the message service add to the empty box: request for a change-of-address ban, name, date of birth, address. You can also visit personally a DVV service point. You should request a a change-of-address ban from both, Posti and DVV.
Posti: Change-of-address protection (in Finnish)
Digital and Population Data Services Agency: Moving (information on change-of-address protection available on the Finnish and Swedish pages)

Consider also requesting non-disclosure of your personal information from the Population Information System. If your leaked address information or other data has changed, it is a good idea to protect your current information. You have the right to know what data about you has been leaked. This information may help you figure out what action you can take to prevent further damage.
Digital and Population Data Services Agency: Non-disclosure of personal information (available in Finnish and Swedish)

Keep your passwords safe and activate two-factor authentication on your accounts

A cybercriminal has got their hands on a large volume of email data. This means that other criminals may also gain access to the information, and someone could try to hack your passwords. Make sure that you use long passwords on all your accounts and, if possible, activate two-factor authentication. Change the password on any compromised email addresses. For tips on choosing a strong password and using two-factor authentication, see KyberVPK: Passwords and two-factor authentication.

Contact Vastaamo to find out what information they hold about you

The General Data Protection Regulation gives you the right to ask Vastaamo about the information they hold about you. Once you know what information may have been leaked, you can make better decisions about the steps that you need to take to protect yourself from further damage. You can contact Vastaamo by filling in an access request form online. More information about Vastaamo’s data protection policy is available on Vastaamo’s website. Please note that you may have to wait several weeks for an answer.

These tips are partially based on KyberVPK’s Checklist for victims of a data breach.

Questions and answers