The servers of the Finnish IT company Arc Technology were compromised by a cyber attack at the beginning of the year. The strike was directed at a sensitive point, the server used by the employees of eight Finnish organisations to login to HR data systems.
An investigation into the data security breach revealed that the attackers took control of the login server and used it for distributing spam emails or other engaging in other unlawful activities.
“According to the data security assessment it may have been used for gate scanning, spamming or the like. The breach appears to have come from Venezuela and from Finland to Brazil," said Arc Technology chairman Kimmo Koivu.
The compromised server was used to login to personnel systems run by organisations such as state railway VR, the pharma wholesaler Oriola, the Finnish Tax Administration and others.
VR CIO Jukka-Pekka Suonikko described the data breach as serious. Taking control of the server for use in a cyber attack was already critical, but even worse was the exposure of personnel data, he said.
Data theft possible
VR’s HR information systems alone contain data on 10,000 workers, including names and social security numbers as well as salary details.
If the cyber thieves wanted to they could have got their hands on the database and stolen that information.
“In this kind of case we can never be completely sure what happened. We know that a skilled hacker could also have entered the personnel system and extracted something,” Suonikko said. However he added that so far there’s been no evidence of theft.
The attack was detected when Brazilian data security officials noticed unauthorised data traffic on the Finnish servers and issued an alert. The Arc technology team immediately pulled the plug on the server, causing HR information systems to crash.
After the service break Arc Technology and VR hired external data security consultants to investigate the matter. The spring probe found no sign that information had been stolen from the databases but they said they could not entirely rule out the possibility.
“The experts said it’s not possible to determine that there was no theft. On the other hand there’s been no sign that data has been stolen or that it has been used for any other purpose,” Koivu added.
He stressed that Arc Technology has beefed up its data security protocols since the breach and that independent professionals will test the systems before they are once more taken into use.
VR severs ties to IT provider
The Tax Administration’s chief information officer Markku Heikura told Yle’s A-Studio programme that Arc Technology’s actions and communications following the break were appropriate and that the company will continue to use the IT provider’s services.
VR on the other hand, has terminated its cooperation with Arc Technology because of the hacking incident.
“We have to be sure that the companies handling our data act responsibly and that hasn’t been the case here. Naturally this means that we will be scrutinising our data security issues even more closely henceforth,” VR’s Suonikko noted.
The VR CIO stressed that the hacking attack targeted the company’s HR systems login server which is not linked to other systems such as customer databases, ticket sales or rail security.