Data breach affecting clients of Transport Services
A data breach has been detected in the client register of Western Uusimaa Transport Services that organises transport services for persons with disabilities and the elderly in Espoo. The data breach involved clients’ personal data. The breach was detected by FCG Smart Transportation Oy, the City of Espoo’s transport service provider, in connection with an information security inspection on 22 November 2021. The breach affected 89 clients who have all been informed.
The data breach occurred during eight days between 4 July and 24 October 2021 when a former employee of FCG Smart Transportation Oy logged in to the Transport Services system after their employment relationship had ended. This was possible because FCG Smart Transportation Oy had not deactivated the person’s user ID. The person did not systematically search for clients’ information, but the person did some random searches and opened some bookings and client profiles.
The person was able to see information entered into the clients’ profiles for transport purposes, such as names, addresses, personal identity codes and other information needed for organising transport services.
The police are investigating the breach, an explanation is demanded from FCG
FCG Smart Transportation Oy has briefly discussed the matter with the person who searched for client information. The person has told that they were the only one who used the user ID. According to the person, their reason for logging in to the system was curiosity.
After the data breach was detected, FCG Smart Transportation Oy immediately deactivated the former employee’s user ID and checked all other IDs currently used within the system. No other similar transactions or active user IDs were found.
The City of Espoo has reported the breach to the police. Clients affected by the data breach can also submit a report of the offence to the police.
“We take all data breaches involving the city’s services very seriously. What makes this case especially serious is that the breach involves our clients’ personal data. We have reported the case to the police, but we have also demanded an explanation from FCG Smart Transportation Oy as to why the person’s user ID had not been deactivated and how the company will prevent similar occurrences in the future,” says Anu Autio, Manager of Disability Services.
- Transport Services