Sensitive business documents may have been accessed, representatives claim.
The data of around 130,000 individuals has been compromised following a hack on a Finnish business website – the third-largest breach to ever hit the country.
The website, liiketoimintasuunnitelma.com, created to advise citizens on how to develop their businesses, was discovered last week to have been accessed by an unknown third party.
Usernames and passwords were stolen, and the center admitted that business plans could also have been taken.
To make matters worse, the information was stored in plain text – meaning the details can be exploited immediately, without the need for decryption.
The website was taken down shortly after the attack, which was discovered during a routine monitoring operation by the Finnish National Cyber Security Centre (NCSC-FI).
An investigation has been launched by the Helsinki Police Department, which at the time of writing still hadn’t confirmed who was behind it.
Jarmo Hyokvvaara, board chairman at the Enterprise Agency for Helsinki, told the Helsinki Times: “We cannot unfortunately say yet exactly how many people and what kinds of data this affects.
“We have filed a criminal complaint, and our customers do not have to file a separate report with the police.”
He added: “The maintenance and data security of our service was the responsibility of a subcontractor that has been a long-term partner for us.
“The data security of the service unfortunately was not good enough to prevent an attack such as this. This was partly our mistake, and as the purchaser and owner of the service we accept our share of the responsibility.”
The Finnish Communications Regulatory Authority, which operates NSCS-FI, wrote in a press release: “A good practice in the administration of services would be to store passwords as cryptographic digests – or hashes – to make it more difficult for the attacker to take advantage of them.”