To get the best help for your situation, first answer the questions on the Preliminary questions page.
Data has been stolen or leaked from my organisation
Prevent further damage
Do not agree to any demands
If the criminal sends a ransom message,
- do not reply to the message
- do not pay any ransom
- do not delete the blackmail message you received
- take a screen capture of the message and save the message as a file
- report an offence to the policeOpens in a new window..
If necessary, cancel the online banking codes and debit cards
If the online banking codes or debit and credit card details have ended up in the hands of outsiders, contact the bank straight away. The bank has a cancellation service that you can call. The Finnish Financial Ombudsman Bureau has a list of cancellation numbers on their website (in Finnish).Opens in a new window.
By acting swiftly you may be able to prevent any financial damage from occurring. When you have informed the bank, your organisation is no longer liable for any money taken from its accounts or unauthorised use of the credit or debit cards
Try to limit the impacts of the vulnerability
If you suspect a data security vulnerability in the systems or processes, it is important to immediately try to restrict criminals’ opportunities to find the vulnerability.
Assess whether you will need to
- shut down the information systems or isolate them from the network
- increase the monitoring of the systems or the internal network
- restrict the flow of information between systems
- prevent or prohibit the use of the systems.
Lock or renew usernames if necessary
- If the data security of the usernames and passwords in your organisation is at risk, log out and lock the usernames related to the incident until new passwords have been issued for them.
- If there is even the slightest suspicion that the personnel's other usernames and passwords could have ended up in the hands of outsiders, you may need to urge all the members of your organisation to change the passwords for the systems they use.
- Also remember to check that the recovery settings of email accounts or the forwarding of emails have not been changed. For example, the attacker may have set their own email address as the email address for email recovery or forwarding.
Chase the intruder away
When you have found out how widely the possible intruder has been able to access the information systems and what they have done in the systems, chase the intruder away by discontinuing their access to your systems.
This may require
- disconnecting the connection to the public network
- reinstalling the systems
- changing the passwords
Prevent misuse of your personal data
If your own personal data, such as your personal identity code, has fallen into the wrong hands, read the instructions in the guide My personal data has been stolen or leaked intended for private individuals.
Plan communication about the incident
The right kind of information communicated at the right time may prevent further damage, such as public damage to the reputation. Plan
- what information you communicate
- who you communicate it to
- when you communicate
- on what channels you communicate.
When your organisation communicates, remember to
- stay truthful
- avoid speculation
- say you are sorry and apologise for the inconvenience caused by the situation
- not reveal anything that compromises data security.
If the police investigate the incident as an offence, discuss communication with the police.
Adapt the operation if necessary
If the incident remains unclear and the investigation of the situation takes days or weeks, consider adapting the operation of your organisation to make it possible to return the situation back to normal quicker.
An unclear situation that lasts long may lead to additional costs, damage the organisation’s reputation and exhaust the personnel.