Data has been stolen or leaked from my organisation

• A problem noticed by own employees: a detected data security vulnerability or suspected misuse of data. 
• A notification from the system supplier: a detected data security vulnerability or a suspected data breach. 
• A blackmail message from a criminal: a message threatening to publish the stolen data unless a ransom is paid.  
• A message from a data security investigator: a party external to your organisation has noticed a vulnerability in your information systems and informs you about it. 
• A customer contacts the organisation: a message explaining that a data protection problem or a data security risk has been noticed. 
• Media: a news item about a data leak or a data breach concerning your organisation.
• An authority: the police or the National Cyber Security Centre reports a data breach they have detected or a vulnerability that enables it.

If a vulnerability has been detected in the data security of your confidential data, you should begin to investigate the matter thoroughly straight away. It is always possible that criminals have already managed to take advantage of the vulnerability.

If your organisation already has a contingency plan or instructions for this kind of situations, you should primarily follow them. This guide helps you check whether the most important things have been taken into account in your plan.

Many smaller organisations do not necessarily have designated persons responsible for data security. In that case, it is important to gather together the persons who make decisions in the company and the persons who know the details of the incident.

If your organisation consists of only a few persons, it is probably advisable to engage the whole personnel in investigating the situation.

Ask the authorities for help and advice. Consider employing an external company, for example, to investigate the technical aspects of the data breach or to plan the crisis communication.

• The National Cyber Security Centre provides advice for determining the situation, preventing further damage and recovering from the situation free of charge and confidentially. Submit a notification of data security violation and ask for advice.
• The Office of the Data Security Ombudsman provides advice on matters related to the protection and processing of personal data. Ask the Office of the Data Security Ombudsman for advice (in Finnish)Opens in a new window..
• If you suspect an offence, report the offenceOpens in a new window.. The police help to form an understanding of the situation in connection with investigating the offence
• You can purchase services from companies specialised in cyber security. You can find cyber security companies, for example, in the list of members of the interest group Finnish Information Security Cluster (FISC) (in Finnish)Opens in a new window..
• The operation of KyberVPKOpens in a new window., a Finnish collective of hackers, is based on volunteering. The collective provides discretionary assistance to organisations that have been subjected to cyber attacks, primarily parties offering healthcare and other critical services.

• Human error: An employee may accidentally forward confidential data outside your organisation. For example, the employee may send an email to a wrong person.
• Phishing: Criminals try to gain access to confidential information through emails, text messages, instant messages, social media or phone calls.
• Malware: For example, malware may be attached to a scam email and become installed to the computer or other device. Malware may forward the passwords and other information on the user of the device to the criminal. 
• Data breach: Criminals take advantage of a technical vulnerability of an information system and break into the system.

Note that information leaked or stolen in one way may enable a new, more extensive data breach. For example, if a criminal has gained access to IDs and passwords through phishing, they can then break into your organisations information systems.

Criminals are usually interested in information such as

• personal data, especially, sensitive personal data such as health data
• IDs and passwords
• online banking codes and debit card details
• trade secrets and product development information
• other classified and confidential information.

An individual piece of information may not be useful for anything. However, criminals may intend to collect individual data from many different sources. By combining the data it may be possible to try to carry out data breaches, fraud or identity thefts later.

Criminals mostly try to benefit from the stolen data financially. For example, they try to

• blackmail the organisation by threatening to release the data or prevent its use
• blackmail private individuals by threatening to release the data or prevent its use
• commit a fraud using personal data or bank details
• sell IDs, passwords and personal data on to other criminals
• sell trade secrets or product development information

A data breach may also have other motives such as

• embarrassing the organisation subjected to the data breach, for example, as revenge
• intimidating the organisation subjected to the data breach by threatening to make the matter public
• improving the criminals’ own reputation with a successful data breach
• experimentation by a criminal testing their skills
• State-run cyber espionage.

A data breach or a data leak may have several negative effects, such as

• costs related to investigating and rectifying the situation
• legal consequences and costs related to them
• temporary reduction or suspension of activities or services due to the exceptional circumstances
• weakening of the organisation’s public image.

The negative impacts are likely to be the smaller the quicker and the more seriously you react to data security deviations:

• It is even more detrimental to the company's reputation if it is found out at a later stage that the company has tried to cover up a data breach or has downplayed it.
• Legal consequences may be more severe it the measures required by law have not been taken immediately.
• The costs of an incident that has been dealt with quickly are lower than the costs of a long-lasting exceptional situation.

The assessment should always be based on considering

• how certain it is that the data ended up in the wrong hands
• what kind of data has been compromised
• what is the extent of the data that has got into the wrong hands
• how likely it is that the data will be misused.

For example, even just a suspicion that usernames and passwords or sensitive data have been leaked is a serious situation. On the other hand, if the stolen data is already public, getting into criminal hands will probably not be very harmful. 

Take measures with a low threshold to prevent further damage. The key is to understand what measures are obligatory. 

• under the law 
• based on the agreements concluded by the organisation.

For example, in certain situations, a personal data breach must be reported to the Data Protection Ombudsman.

In addition, you must assess how to minimise the negative effects on

• the organisation’s operation 
• the services produced by the organisation
• the organisation's cooperation with stakeholders.

Record at least the following information in the diary:

• the persons who have dealt with the situation and their roles
• the exact times and dates of the different entries
• the decisions taken, their justifications and the persons who made the decisions
• the measures taken and their times and dates
• a list of the collected evidence
• contacts made with different parties.