Latest news with #Vastaamo
Telegraph
4 days ago
- Politics
- Telegraph
No one is safe online – blame these depraved teenage hackers
In October 2020, tens of thousands of people across Finland received an email telling them that some of their most intimate secrets were about to be made public. A hacker had infiltrated the computer files of Vastaamo, Finland's largest commercial therapy provider, and was now blackmailing patients, including children, saying their therapy notes would be published online if they didn't pay a ransom of €500 each. The breach was so shocking that when the hacker, who went by the alias 'ransom_man', posted about the accomplishment on Ylilauta, a Finnish version of the notorious online forum 4chan, he was bombarded with messages from fellow users telling him that this time he'd gone too far. Ransom_man was used to making enemies. His real name was Julius Kivimӓki, and he also went by the aliases 'Zeekill', 'Ryan' and 'The Untouchable Hacker God'. He was a 23-year-old from Finland who, both individually and as part of cyber gangs, had been causing havoc online for companies and innocent people around the world since he was 13. In Joe Tidy's Ctrl+Alt+Chaos, an illuminating and often scary book about teenage hackers, Kivimӓki is cast as the talisman of various groups of young men – and they're almost exclusively men – who delighted in causing damage and cruelty on the internet in the 2010s, sometimes for money but mostly just because they could. The trope of teenage 'hackers in hoodies' sitting in their parents' homes and breaking into companies' online systems is now a little outdated. Businesses and organisations these days are more concerned about ransomware gangs and state-sanctioned hackers. Nonetheless, Tidy writes, from around 2010 to 2015, the world saw 'probably the most active period in history for youth cybercrime gangs' – and Kivimӓki was 'one of the chief architects'. Tidy, the BBC's first ever 'cyber correspondent', aims to use Kivimӓki's career to chronicle the rise of a 'sadistic' culture in which being an 'edgelord' – acting as provocatively and outrageously as possible – took precedence over anything else, including how many victims might be hurt, or how badly. The structure doesn't always work: Kivimӓki, who was sentenced in 2022 for the Vastaamo hack and is in prison until 2026, couldn't be interviewed by Tidy, meaning he remains a somewhat shadowy figure despite being the nominal centrepiece. But as an insight into how very young teenage boys can get lured into a world of cybercrime – and, crucially, seem not to care about the pain they're causing – it's fascinating. Until roughly the early 2000s, most amateur hacking groups cast themselves as ethical: they would, for instance, breach online systems to embarrass greedy corporations. But around 2010, Tidy says, something 'went horribly wrong'. Suddenly gangs weren't hacking for any particular reason beyond causing mischief and receiving their peers' recognition. 'If there was any strategy to our attacks,' one former teenage hacker recalls, 'it was mayhem.' Tidy puts much of the blame on Twitter, which 'gave birth to a new generation of fame-hungry hackers' who could boast about their work to win followers and clout. Groups such as Lulzsec, HTP (Hack the Planet), UG Nazi and Lizard Squad – with all of whom Kivimӓki had some involvement or connection – would engage in 'deliberately cruel' acts just to show how irreverent they were. Sometimes these hacks involved a level of sophistication: one group took down both the Xbox Live and PlayStation Network, used by a combined 158 million people, over Christmas 2014. But often the tactics were so simple as to not be considered hacking at all. Among cybersecurity criminals and experts, these young men were derided as 'script kiddies' – the lowest tier of hackers. One favoured technique of these teenagers, for example, particularly in America, was 'swatting': police would be contacted about a bogus 'emergency' at someone's home, so that an armed Swat team was sent to the victim's door. A particularly distressing case, related by Tidy, is that of a 17-year-old boy from Illinois named Blair Strater, who became the focus of Kivimaki's ire: on more than one occasion, armed police appeared in the night at Strater's and his parents' home. The email and social media accounts of Strater's mother were also hacked by Kivimӓki and HTP, who then wrote anti-Semitic and racist tirades under her name. The adult Straters' marriage fell apart, Strater's mother lost her job during the ordeal. At this point, some other teenage hackers begin to distance themselves from Kivimӓki. 'We started to realise the type of person he was. The way he treated Blair was wrong,' one former hacker recalls. Yet the Straters were comparatively lucky. Another incident led to an innocent father-of-two being shot dead on his doorstep by armed police. Meanwhile, another young wannabe hacker who mouthed off about Lizard Squad – with whom Kivimӓki was also involved – was forced to cut himself dozens of times along his forearm and take a picture of it while holding a card saying 'LizardSquad made me do it', in order to get his online accounts back. 'It was pure sadism,' one participant admits. When caught, because most of the perpetrators were under 18, they often received extremely light sentences. For some, this was enough to set them straight, but for others it just made them feel invincible. One former member recounts how 'making global headlines made him feel like a god'. Tidy does a good job of tracking down and talking to such ex-hackers. Unsurprisingly, what comes out is that, in many cases, these boys were extremely lonely, bullied at school or had a hard home life; they desperately wanted the camaraderie of friendship. Most had found their way into these gangs through obsessively playing computer games and coming across forums that listed cheat codes – then matters spiralled. The first parents knew about it was when the police appeared at their door. They'd thought their son was just playing computer games. While there was no hierarchy within these gangs, Tidy says they were usually led by whoever was most outrageous or most sophisticated at hacking. Kivimӓki sounds like he was a dangerous combination of both. When Finnish police raided his bedroom in 2013, he was just 16, but there was so much illegal activity on his computer that they had to limit their investigations to just the bigger cybercrimes. Antti Kurittu, a Finnish cybersecurity expert and former police detective, says that Kivimӓki hacked a therapy company simply because it would cause distress: 'I don't think he was ever interested in cybersecurity that much. He was just interested in causing mayhem to people's lives… he is uncaring to a degree which is difficult to understand.' The spate of 'edgelord' teenage hackers had appeared to have died away; but at the end of his book, Tidy mentions new groups such as Scattered Spider, who appear to be made up of teenage boys, some as young as 16, who work with notorious Russian ransomware groups and are willing to use offline violence as part of their threats. Scattered Spider is alleged to be linked to the recent hacks of Marks and Spencer, the Co-op and Harrods. Authorities believe that gangs will emerge in new digital spaces such as the metaverse, and that the best way to avoid that will be education: teaching children 'where the lines are' online. If we fail to do that, Tidy writes, we're 'enabling the cyber criminals of the future'.
Techday NZ
11-05-2025
- Techday NZ
Privacy Week: Sensitive information stored online can hurt you
Have you ever stopped to think about how much of your personal information is stored online? You might be surprised to know that a considerable amount of your most sensitive information is has been filed away in the cloud by the companies and government departments you deal with your medical records, private conversations you've had with others, financial information, purchases you've made and more. This kind of data is routinely accessed by cybercriminals. In fact, it's possible some of your sensitive data is available on the dark web right now. It all comes down to what information you share with organisations and how they protect it. Do they take their role as guardian of your data seriously? The sad reality is, we live in a country where many businesses don't. And even the companies that do take cyber security seriously can't guarantee your data will be safe from a cyber-attack. As Privacy Week 2025 begins, it's a good reminder for you to be careful with the information you share, and who you share it with. The truth is, in the modern world you often have no choice but to share personal information. You may be able to limit what you share on social media or the number of online accounts you sign up to, but it's a lot more difficult to control how organisations store your essential records like your medical data or financial information. Privacy Week should really be less about individuals, and more about business leaders considering the data they hold and what they are doing to ensure it's protected. The personal impact of a cyber breach When personal data is leaked, depending how sensitive the information is, it can cause significant harm to victims. However, cybercriminals don't care about the damaged caused to individuals. For them, personal data is a valuable bargaining chip to force the companies they hack into paying an extortion demand. In February this year Genea Fertility in Australia was breached with up to 700GB of data stolen and listed on the dark web. It was reported that contact details, Medicare card numbers, medical histories, test results, and medications were compromised, although Genea is yet to confirm this. Genea's silence has only deepened the anxiety, adding stress and turmoil to what is already a deeply personal and emotional fertility journey. There are also growing international trends of cybercriminals blackmailing individuals. This can profoundly impact wellbeing and have harrowing consequences. Take the case of Swedish psychotherapy provider Vastaamo whose databases containing confidential mental health information were breached in 2020. When the company refused to pay the ransom demand, the hacker emailed thousands of patients asking for 200 Euros and threatening to publicly share their personal details. At least one suicide has been linked to the case, a devasting outcome of what can happen when private data is weaponised. It's about the stick So, what's going to get New Zealand businesses to take cyber security seriously? I think it's more about the stick than the carrot. In 2016, company directors became personally liable for health and safety negligence. This prompted a significant rise in due diligence and New Zealanders were better protected at work. Protecting personal data should be treated in the same regard as health and safety. At the very least, we need to look at the fines the government can issue to businesses hit by cyber-attacks. Currently in New Zealand, the maximum fine that can be issued is $10,000, and that's for not disclosing a data breach to the Privacy Commissioner. Compare that to Australia where their maximum fine for serious interference with privacy is $50 million. That's an incentive that would really get business leaders to take their responsibility seriously. What can individuals do? New Zealand legislation won't change overnight, but we should continue to put pressure on organisations collecting data to uphold our privacy. However, protecting yourself online can help you avoid, or better manage your affairs, if your personal or financial details are breached. Here are four basic tips: Never save your credit card details Sure, it's nice to have your credit card details saved into your browser, but it's not worth the risk. If your device or the shopping site is compromised, a hacker can easily steal your credentials and fraudulently charge your cards. Always use multi-factor authentication (MFA) Having to get your phone out each time you log in to an important app or website to verify yourself is a hassle, but it's one of the best ways to lock hackers out. It is easy to ignore device updates to your phone or computer, but you should install them as soon as they're available. Secure your most used apps. There are a range of built-in privacy tools from WhatsApp, Facebook, and Google that allow you to review and tighten your security settings. Be sure to do this! You might be surprised how much information can be scraped from public profiles. Only share what you need to. Limit what information you share online, whether that be on social media or through surveys, online forms, competitions or other mechanisms companies use to collect personal data. Only share what is necessary. My parting advice is to remember your private data is valuable, especially to cybercriminals.
