Quick quit Skip to content

Data breach – advice to victims of a data breach or a data leakage

Last updated on 10 May

If you fall victim to a data breach it is important to report the crime and take necessary blocking measures to prevent, for example, fraud with your personal data.

As data breaches are different, the directives also vary from case to case. Good practical advice in your own situation can be found in the guide on the Suomi.fi web page:  Have you fallen victim to a data leakage or a data breach?

Victim Support Finland provides discussion assistance and practical advice in criminal cases:

At the end of this page there is special advice for the victims of the Vastaamo data breach

Advice to victims of a data breach

Get help and take care of your well-being

By following the advice listed in the data breach guide on the Suomi.fi web pages and on this page, you can avoid further damage and increase your own sense of control.

Remember that you are not alone, and that help is available. It often helps to talk about the situation with loved ones, professional helpers or another person who understands the victim’s situation. In discussions, it is good to try to identify the worst that could happen and how you can get through this.

Keep a diary of what you do. Write down what you do, i.e., what you reported, when and to whom. This information can be important for, for example, the police and when assessing possible damages. By keeping a diary, you can also keep track of what you have done, which helps having a sense of control.

Make a report of the crime

If you, for example, fall victim of extortion, fraud, identity theft or data breach, you must report the crime. Police: File a police report

If you are threatened or extorted by dissemination of information, take screenshots of the messages as evidence, and report it to the police. Do not pay the extorter.

If you see your own information published somewhere, take screenshots as evidence, and report the crime.

Make a credit ban

With a credit ban you can prevent fraud committed by misuse of your personal data. The perpetrator can, for example, make installment purchases or take other credit using your personal identity code and other information. With a credit ban you can prevent frauds like this.

According to Suomi.fi guide, you can place a self-imposed credit ban in the Tax Administration’s Positive credit register. The Tax Administration’s service is free of charge. In the Positive credit register you can give consent that information on your voluntary ban on credits may be disclosed to credit information companies.

Two companies offer voluntary credit bans as a paid service: Suomen Asiakastieto and Dun & Bradstreet

By enacting a self-imposed credit ban, you will make it more difficult for others to use your personal data to order a credit card, take out a bank loan, or make purchases on an instalment plan.

However, you can still take out a loan yourself by presenting the credit ban certificate. You can also cancel your credit ban at a later date.

Suomen Asiakastieto and Dun & Bradstreet also offer supervision services that notify you if someone tries to apply for credit with your information.

If you cannot afford to pay for a credit ban, find out whether you are eligible for basic social assistance.

(Source: Suomi.fi: Data leak)

File a prohibition of registration to the Finnish Patent and Registration Office

With the prohibition of registration, you can prevent your personal data from being registered as, for example, a responsible person for a company in the Finnish Trade Register. When you file a prohibition of registration to the Finnish Patent and Registration Office (PRH) you cannot be registered with your personal data as a responsible person for a company or an association. In this way you can avoid that a company is being founded in your name without your knowledge. Criminals might establish companies with illegal activities in the name of others: Finnish Patent and Registration Office (PRH): Prohibition of registration

Apply for a moving protection to Posti and the Digital and Population Data Services Agency

You can prevent that a change of address is made with your personal data by requesting a moving protection from Posti and the Digital and Population Data Services Agency. Address changes or distribution interruptions cannot be made for a protected person if the protection is active. In this way, goods cannot be ordered in your name to another address. Posti’s moving protection can be made on Posti’s website.

The Digital and Population Data Services Agency’s block on a notification of move service can be done electronically via the Suomi.fi web service. Fill in a request for a block on a notification of move, your name, date of birth, address in the empty box in the message service. You can also block a notification of move by visiting the Digital and Population Data Services Agency in person. You always have to request a block on a notification of move to both Posti and the Digital and Population Data Services Agency: the Digital and Population Data Services Agency: Block a notification of move

Submit a non-disclosure of data to the Population Information System

You should also consider submitting a non-disclosure of data to the Population Information System. If your address or other data have changed since the time of the data breach, it is good to protect your current data: the Digital and Population Data Services Agency: Non-disclosure of personal information

Use passwords and two-factor authentication

If the criminal has obtained e-mail addresses during the data breach, they can sooner or later end up in the hands of other criminals and someone can start testing their passwords. Make sure that you have a long password in use for all services and use two-factor authentication if possible. Change the password for the leaked e-mail address. Read the instructions for choosing a good password and two-factor authentication: KyberVPK: Passwords and two-factor authentication

Remove your information from billing services and prohibit service usage

Klarna and other billing services may allow making purchases with very little authenticating information about the invoiced person. Ask the billing service company to remove your personal information, this is your right under the GDPR regulations. This means that registered persons in certain situations have the right to have their personal data removed from the register by the controller.

A request to Klarna can be made by e-mail to the address tietosuoja@klarna.fi or via form. The contact details of other billing services are often found on their websites, at least in their privacy statement.

Make your phone number secret, if necessary

You can change the information in your telephone subscription to secret via your operator’s self-service or by contacting the customer service of your operator. Alternatively, you can make just the address information or both the name and the address information secret. The update of the change will take a few days, after which your number and your information no longer are visible in the number services. You can also agree on other measures with your telecom operator. You will get more information from your own operator’s self-service and customer service channels.

The KyberVPK website, among others, has been used as a source Checklist for victims of a data breach.

More practical advice to victims of a data breach:
Suomi.fi | Guide: Have you fallen victim to a data leakage or a data breach?


Special advice and instructions to the victims of the Vastaamo data breach

Over 33,000 people fell victim to the data breach at the Psychotherapy center Vastaamo that was discovered in October 2020. In the exceptionally serious data breach, the perpetrator hacked into Vastaamo’s data system and tried to extort money from the clients with sensitive information. Finally, the perpetrator published the information on the dark web.

Read more: How is the Vastaamo case proceeding from the victim’s perspective

Should I change my e-mail address and telephone number since they have leaked?

Even if your e-mail address and telephone number were published, you should not have to change them. Update the passwords for your e-mail and other electronic services to strong ones so that no one can guess them and misuse them. Use a two-factor authentication if possible. E-mail addresses and telephone numbers are usually public information. If you start getting annoying spam or calls you can consider changing them. If you have an activated non-disclosure for personal safety reasons you should change your telephone number.

Read the instructions for choosing a good password and two-factor authentication: KyberVPK: Passwords and two-factor authentication

Can I change the personal identity code?

The personal identity code is unique and intended to be permanent. You can only apply for a change of your personal identity code when it is absolutely necessary. A change may be justified if there is an obvious and persistent threat to your health or safety or if someone other than you repeatedly has misused your personal identity code.  You can apply for a change of your personal identity code if someone has repeatedly misused it and if this has caused significant financial or other inconvenience to you, and if a change of the personal identity code can prevent the continued misuse.  the Digital and Population Data Services Agency: Changing your personal identity code

Do I need to contact the bank in the Vastaamo case?

To be on the safe side, you can notify the bank about the data breach.  In this stage, however, it is not known that the bank details of Vastaamo’s clients have been compromised in the data breach and there have been no bank details among the information that has been published. It is good to follow the information on your own bank group’s website.

Is my own data protection further endangered if I publicly tell, for example in social or journalistic media, that my own data is among the stolen data?

Telling this does at least not increase the persons data protection because it may attract curious people to specifically search for information about the person in question. It is good to think carefully about whether you want to talk about it publicly and reflect whether it will cause more harm than good.

I am a client at Victim Support Finland. I am worried about whether my information is safe with you?

The Victim Support Finland’s client register is one of the few client data systems in the social sector that belongs to category A. As a part of the category A requirements, the service’s data protection regularly undergoes an audit carried out by an accredited information security inspection body. Further information about the categories: Valvira: Information systems for social welfare and health care

We do not collect personal data from individual contacts, for example, in the chat or on the phone.

In case of fraud, do I have to pay the invoices myself?

It is good to take necessary protective measures to prevent fraud. It is good to check your own account details and the mail. If you receive invoices for things that you have not ordered or bought you should immediately contact the company and your own bank and report the crime to the police. The best way to protect your own position is to take necessary protective measures to prevent fraud, and in the event of fraud to follow the instructions above.

Is there any way I can find out if my information is being illegally shared online or on the dark web?

You can use the service Have I been pwned? that notifies if your e-mail has leaked publicly. The service is maintained by the data protection expert Troy Hunt. Alternatively, you can use the domestic service F-Secure in Finnish or the domestic service Badrap.io. You can also use the Google Alerts service in your own name. The service sends an e-mail if the keyword you have chosen appears in Google search results. You can, for example, have your own phone number, name, and e-mail address as keywords.

Asiakastieto, among others, offers a fee-based security service called Tietovahti that follows up on whether your data is shared on the dark or open web.

I also want my data to be deleted from the Kanta service, is this possible?

No, it is not. The data is deleted when the storage period according to law ends. However, you have the right to demand that incorrect data is corrected and to see your own data. Kanta: The patient’s rights

I saw that my information is published online. I have taken the necessary protective measures, taken screenshots and reported the crime to the police. Can I do something else?

If you see that your data is being shared online, you must report this to Traficom’s National Cyber Security Center. The National Cyber Security Center strives to limit the dissemination of the data by requesting that the published data is deleted from the services where the data is shared. In addition, if you know where your data has been published, you can ask the administrator of the service or website in question to remove the data.

Does a voluntary credit ban affect the existing credit card or loans in any way?

The application for a credit ban does not affect existing credit cards, installment payments or loans. The credit ban affects future credit decisions. A voluntary credit ban does not prevent you from making installment purchases or taking other credit. You will receive a separate certificate that shows your creditworthiness despite the voluntary credit ban.

How can entrepreneurs protect their company data? If the entrepreneur has an active credit ban, how does it affect the business?

Entrepreneurs should take the same protective measures as others.

Suomen Yrittäjät have developed instructions for entrepreneurs who have fallen victim to the data breach at Vastaamo: Suomen Yrittäjät: Do this if you have fallen victim to a data breach – Theft of the entrepreneurs own personal data can seriously damage the company’s business

More information: To the entrepreneur: PRH / How to protect yourself and your company from scams

If the credit information of the person responsible for the company is requested from Suomen Asiakastieto Oy’s credit information register when the company is making an agreement, the Tietovahti will notify the person about the request if he/she has activated the Tietovahti service. In the same context, a possible Self-imposed credit ban marking is also visible for the entity that made the request. These services can also provide protection for companies that, for example, operate with trade names, even though they were not actually developed to protect companies. Tietovahti, that monitors requests for a person’s credit information, does not notify if the company’s information is explicitly requested. There is also no service for companies that corresponds to the Self-imposed credit ban marking.

It you want to follow up the company’s information, Asiakastieto has developed the Yrityksen Tietovahti service for that purpose. With this service you can, among other things, find out if there is a change in the company’s information. The service can also follow up the development of the number of requests. If the entrepreneur is not active at the time (e.g. advertising campaign, credit application, participation in an invitation to tender etc.) this can be an indication of possible abuse. You can read more about the service here.

The marking for the Self-imposed credit ban does not affect the company’s classification.  The marking is considered as a separate credit information marking if the responsible person’s information is requested in this context, it is therefore easy to distinguish from a payment default entry. If the entrepreneur applies for a loan, he/she can more specifically prove his/hers identity with a certificate of the self-imposed credit ban.

Bisnode also offers a company monitoring service.

What can parents do to protect the information of minor victims?

The information of a minor should be protected the same way as the information of adults. The minor or the person who has custody of the minor can report the crime to the police. Minors cannot apply for credits in their own name, and the risk of misuse is therefore small. Legally there are no obstacles to applying for a self-imposed credit ban for a minor.

When minors turn 18 it also possible to apply for credit with their information. At the latest then it is good to apply for a self-imposed credit ban.

Minors can impose credit bans on themselves in Asiakastieto Oy’s online service since identification is not required for this. Identification is not required because they wanted to offer the possibility to get this marking also in situations where necessary tools for identification have been stolen (phone, bank codes). If the person who has custody of the child imposes a credit ban marking for a minor it is good to agree on this in writing with the minor with authorization. You can keep the authorization yourself. As a rule, minors cannot sign credit agreements, so it is not necessary to impose a credit ban for minors. In cases where the minor soon will become an adult and the minor’s information somehow has ended up in the hands of a criminal, it is good the make the self-imposed credit ban. You can remove the self-imposed credit ban yourself when you feel that there is no longer a need for it. When removing the credit ban you must identify yourself. More information from Asiakastieto Oy.

According to Bisnode Finland Oy a voluntary credit ban is a measure based on direct consent and therefore strong authentication is required in our online services to make and remove a voluntary credit ban to avoid abuse and give consent. If the minor does not yet have online banking codes or other necessary tools for strong authentication, the voluntary credit ban can be imposed for the minor by sending a signed unofficial application and the signatures of the persons who have custody of the minor in the minor’s place and a copy of the person’s identity certificate as an attachment. You can also apply for a voluntary credit ban by visiting Bisnode Finland Oy’s customer service and then the minor must be present as well as the persons who has custody of the minor or their authorization. Generally, a minor cannot make credit agreements and therefore it is not necessary to apply for a voluntary credit ban for minors. In cases where a person soon will turn 18 and the person’s information is in the hands of criminals, it is good to apply for a credit ban. More information on Bisnode Finland Oy’s customer service.

Is it possible to file for a prohibition of registration for a minor? If it is, can it be made by the person who has custody of the child or how is it done in practice? Does the child’s age have to be considered in any way?

The guardian of a minor (usually the persons who have custody of the minor) can file for a prohibition of registration for the minor. Since the prohibition of registration is of less importance for minors, it is good to consider whether the processing of the minor’s personal data and entry in the register is necessary. The minor cannot in any case be registered in any position of responsibility in a company according to the Limited Liability Companies Act. Also, in many other forms of businesses, registration of a minor requires the consent of a guardian and/or permission of the guardianship authority. The validity of the prohibition of registration does not change when the minor turns 18. The prohibition of registration is valid for the time being until it is cancelled. If necessary, you can read more about minors and business operations on PRH’s website.

Do I have to use a printed form to file for the prohibition of registration at PRH?

You can also file for a prohibition of registration electronically : PRH: How to file a prohibition of registration?

Would it help to change the name if the personal identity code has leaked?

Identification takes place using the personal identity code and changing the name probably has no major impact. The name can be changed any way and that does not prevent the use of the personal identity code.

Do I have to visit the Digital and Population Data Services Agency if I want to request a block on a notification of move?

The instructions on the Digital and Population Data Services Agency’s website have changed. The fastest and easiest way to request a block on a notification of move from The Digital and Population Data Services Agency is electronically via the Suomi.fi web service. Fill in the request for a block on a notification of move, your name, date of birth, address in the empty box in the message service. The use of the Suomi.fi service requires strong authentication with bank codes or mobile certificate. You can also block a notification of move by visiting the Digital and Population Data Services Agency in person. This can be done at any service point. DVV: Block a notification of move

Can I limit the disclosure of data from Traficom’s Transport Register?

Traficom’s Transport Registers are usually official registers, but the disclosure of your own data can be limited. Non-disclosure of data can be made electronically in Traficom’s service. Traficom: How to prohibit the disclosure of your data

Can a voluntary credit ban affect business operations if, for example, the business partner checks the credit information?

A self-imposed credit ban is always placed under the personal identity code and is visible when applying for personal credit information. It may be good to tell the partner checking the credit information about the marking and its purposes to avoid any misunderstandings. You can explain to the partner checking your credit information that it is not a question of a payment default entry, but a self-imposed credit ban, which means that it is a voluntary credit ban applied for to prevent abuse due to leaking of personal data because of a data breach. In the field with additional information for the credit ban marking shows that it is a self-imposed credit ban by the person himself, not a payment default. You can also show a certificate of the self-imposed credit ban and, if necessary, direct the partner to get additional information about the marking from Asiakastieto or Bisnode.

If my own credit information already is gone, is there any use in applying for a credit ban?

As a rule, it is always good to apply for a self-imposed credit ban if you suspect that your information is being misused. There are also instances for which an existing payment default is no obstacle for granting, for example, installment payments or loans, even though they would not normally be granting them. In these cases, a self-imposed credit ban can prevent damage due to identity theft.

Can a previous crime report be updated in the online service?

The electronic crime report cannot be supplemented after it has been sent. Contact your local police agency.

It is possible to book an appointment online to, for example, Terveystalo, Mehiläinen or Pihlajalinna?

Terveystalo: No. When booking an appointment at Terveystalo you must identify yourself either with mobile certificate or online bank codes. You cannot book an appointment online with just personal data.

Mehiläinen: Yes. It is possible to book an appointment online at Mehiläinen with just individual personal data without identification. The client can choose, via the OmaMehiläinen service, only strong authentication as the method for booking appointments. OmaMehiläinen

Pihlajalinna: Pihlajalinna has an Oma Pihlajalinna service for clients where you log in with bank codes for the first time. After that it is possible to log in with the personal identity code and a confirmation code that comes as a text message to the phone. You log in in the same way to the occupational health service portal for occupational health care clients. It is not possible to log in to Pihlajalinna’s services using only the personal identity code. Your Oma Pihlajalinna

Is it possible to commit fraud abroad with a Finnish personal identity code?

The Finnish identity code identifies a person in Finland for, for example, authorities and banks. In Finland you can do business in many places with just the name. When doing business online several different ways are used to identify the buyer, and the personal identity code or authentication with bank codes are not always required. Fraud abroad is usually committed with credit card details.

I am getting extortion messages, should I call the emergency response centre?

Do not call the emergency response centre. If you get extortion messages, take screenshots, and save the original messages. File an electronic crime report to the police and attach the screenshots of the extortion. If you cannot file an electronic report, you can also file the crime report by visiting the nearest police station during opening hours. Police: Instructions on how to report a crime to the police when your personal data has been shared online due to the data breach at Vastaamo or if you have received an extortion message (in Finnish and Swedish)

Should I pay the ransom? Why or why not?

You should not pay the ransom because payment does not guarantee that your personal data is not already visible or that it will be made public later or that some other actor will not extort you with the data in the future.

Do you want to know what information has been registered about you? Send a request for reviewing the register data to Kela

According to the Data Protection Regulation you have the right to receive information about the data that Vastaamo has registered about you. To straighten out this information can make it easier for you to consider what you can do to avoid further damage. The patient data for Vastaamo’s clients has been transferred to Kela when Vastaamo closed. Requests for your own patient records can be made via encrypted e-mail. Instructions on Kela’s website: Vastaamo’s clients have the opportunity now to get information about their patient records from Kela

I find results with Google where my name is linked to content that violates the law or violates my rights. What can I do?

You can make a request to Google for the deletion of certain personal information: Deletion of data according to EU*s data protection act

Read more in Google’s instructions: Overview: Right to be forgotten