According to The Finnish Ministry of the Interior, the risk of a leak of confidential information appeared because of one unprotected e-mail message. The cell phone operator TeliaSonera sent detailed information on thousands of the ministry’s employees using the company’s mail servers located outside of Finland.

Naturally, there is quite a bit of confidential information (names, phone numbers, positions) when discussing employees working for institutions controlled by the ministry.

The whole case started on Tuesday, when the ministry released information about an unspecified security risk related to thousands of cell phone accounts, including the “violence unit” of the police force and the National Bureau of Investigation. At the same time they informed that personnel was been advised not to discuss confidential subjects on their cell phones.
Mrs. Ritva Viljanen, Chief Secretary of the Ministry of the Interior (i.e. Permanent Secretary), informed about connections to TeliaSonera, which is responsible for a significant number of ministry cell phone accounts. According to Mrs. Viljanen there was a risk of eavesdropping related to this unspecified security problem.

The situation changed rapidly when an official press release from TeliaSonera Finland disclosed details about an e-mail sent in January.
The well known operator TeliaSonera disclosed this information regarding missing security and privacy practices immediately, when sending this information related to an ongoing operator process switching.
Additionally, the company says there was no confidential information included in the message at all. “There was far too much information, and it was sent to too many people”, says Viljanen. See Helsingin Sanomat article reference for details about different views on this subject.

According to new comments from Mr. Erka Koivunen, the chief of the local CERT-FI Team, it is possible that such disclosure of information can aide the more traditional eavesdropping methods if used to by criminals. Additionally, local IT community has theoretical discussion about fake base stations, recent Bluetooth vulnerabilities, cloning of SIM cards etc. All of these links available are Finnish-language, however.
Home address and other details can enable physical eavesdropping on another participant, said the local online news today. According to Mrs. Viljanen, 15 separate records per account were included in the e-mail attachment mentioned. A different telecommunications service provider Elisa won the competition for mobile telephone connections.

In fact, Mr. Koivunen “dropped a bomb” with his additional information. During a whole week both IT news and non-IT news have been wondering what are the possible connections to the eavesdropping fiasco. How is it possible to listen to GSM phones with help of account information? The answer is: it is not possible.

In Finland You can forbid the disclosure of your personal information by the population registration system for purposes such as direct marketing, genealogical research, etc. The most effective level in use is ‘Non-disclosure for personal safety reasons’. See this page for details. Policemen are the biggest group using this right. No need to say that these officials normally want to hide their cell phone numbers as well.

The CERT chief also said the fact that even pieces of confidential information can help people using surveillance techniques. I completely agree.

This case emphasizes the importance of standing guidelines and processes when sending classified Government information with ties and co-operation in an international company.

One of the original news items was published in the biggest local newspaper “Helsingin Sanomat”.

-

Is your site safe from SQL Injection attaks? Sign up for Beyond Security’s Automated Vulnerability Detection Service today!