When Everything Goes Wrong

A true story of how everything that went wrong, did

I wish I could make up some of these stories. Sometimes I wish I would still get surprised or shocked at them as well. Now the shock or facepalming comes from when humans continue to do silly things.

This is a story of how everything that could have went wrong, did. From the security of the infrastructure to how the CEO and others behaved.

What Happened?

A mental health network startup in Finland got breached. The full database of detailed notes from therapists about their patients, including their full identity, was stolen. The attackers threatened to leak the entire database unless the company paid a ransom. Instead they targeted individuals threatening to release their patient records if they didn’t pay a ransom.

This was almost as bad as when a cheating website was hacked and leaked.

What Went Wrong?

Here is a breakdown of everything that went wrong. So many things went wrong, that I have to just list them out.

  • MySQL DB server port was OPEN TO THE INTERNET! 🤦🏽‍♂️

  • The database of patient information was not encrypted at rest

  • The developers that built the app didn’t bother with a VPN and made the app accessible remotely

    “Those are two professionals that know much more about the network and firewall and server management than I,” Tapio (CEO) says. “I was not responsible.”

  • 3rd party developers had a criminal history were they allegedly stole a database from another company (case was never proven) right before working at the company

  • The startup was classified as a Class B company, and not subject to the stricter security guidelines of a Class A system. They had a generous grace period to become Class A.

  • Class B companies in Finland have to go through a “self-assessment” and there was only one employee responsible for reviewing ALL Class B companies and applications. (This happens at security companies all the time btw). The one person that was responsible admittedly said it was “mission impossible”:

    Tapio says that Finland’s “supervisory authorities” then signed off on the system “numerous times” in the years ahead. Härkönen, who is one of those authorities, says that to monitor all the Class B systems carefully would be “mission impossible” for him. He adds, however, that there should be more “proactive inspections.”

  • The CEO knew about the ransom, but ignored it and hid it from his investors as he was in the middle of a deal. (Probably the worse part of all this)

Lessons Learned

What can we learn from all this? Well, here’s my jaded take:

  • Third Party Security reviews will never guarantee security. They are a liability checkbox ✅ item to say we did a review and our due diligence. In addition they are extremely underfunded. If you want real security assurance, you would do a security review of your third party, but no one does that except larger well-funded companies like Facebook. Note: Remember, you can always ask to review their architecture realtime if you want, the worse they can say is no. I used to do this myself when I wanted real assurance. However, most people don’t have time for this.

  • Small startups will often times have poor security. They are focused on shipping products and growth. It’s a generalization, but true. This is why we need security by default. We are lucky that React and other modern language have built in security, but we still have databases with unencrypted default connections. of course having a database directly accessible from the internet with no additional security controls is kind of beyond negligence, and should be criminal. As even the hacker said…

    In emails to Kärkkäinen, the hacker scorned Vastaamo: A company with security practices that weak was the real criminal, he recalls them writing.

  • Never ignore any security related message. It may seem like a scam, but either a security researcher is trying to legitimately tell you about something or an attacker is trying to communicate with you.

  • Always involve the authorities early on, especially with ransomware attempts. The FBI has field offices in every state and they want to know about your cyber attacks. If they can’t help, then at least it will be statistics for them. They actually recently recovered ransom from the Colonial Pipeline attack.

  • If your company is built on trust, and you breach it horribly, you could go out of business.

  • The security of companies affects everyone.