Knowing the timeline of events and the nicknames attributed to him (ryanlol included), some interesting posts can be found. For example, in the period between the CEO starting communication (September 2020) and the clinic's public admission (October 2020) [1], ryanlol replied to a top comment (Oct 3, 2020): "If you’re a hospital or, say, a school district, 'never pay' is simply an unconscionable attitude" [2]. Isn't it a hacker raging at the management that refuses to pay?
No more questions, Your Honor. Forgive my joyful attitude, but it was your choice to participate in this discussion. As you know from your years and thousands of posts, HN threads are often ephemeral and short-lived - and this one is no exception. Or maybe not... because of your active self-defense posting here, I assume for the first time since the arrest. Now dozens of fellow (HN) hackers are querying your nicknames on Google, Algolia, and whatever else they have at hand. I'm not sure they'll find someone who genuinely fights for a more secure world. Or prove me wrong if you wish.
I find it strange to report on a hacker releasing personal information, while building the narrative of the story with all of the personal details like "she’d had three children by the time she was 25, including twins who had been born extremely prematurely in the 1980s, weighing only a few hundred grams each", "crumbling marriage", and suicidal ideations.
I thought the whole point is that they were upset that their personal life was being broadcasted to the internet.
I was 17 at the time :) And FWIW, the whole joke there was that neither me nor the other guy being interviewed had anything at all to do with the attacks on PSN and XBL.
Yes, I'm sure my comments here are just full of terribly damaging stuff.
Not sure what the theory here is. Am I supposed to worry about the judges stalking me online and reading my HN comments professing innocence?
The prosecutors couldn't, and wouldn't even want to use anything I've written here, especially considering the trial is over and they can't just file new evidence.
> "Unfortunately, we have to ask you to pay to keep your personal information safe.”
I can't put my finger on why, but the faux "aw shucks, our hands are tied" makes me even more pissed off by the fact that they're leaking people's therapy notes. Just come out and say you're an amoral money seeker.
I'm a broken record about this by now, but stories like these keep reminding me how broken the law is for ethical hackers in Germany. If an ethical hacker found something like this in Germany, it would from my knowledge not be clear if entering an empty password counts as "circumventing or breaking a security barrier". "No password barrier" has recently been clarified in courts, but "Static Password" hasn't.
And once you break a security barrier, you're breaking the law. Even GDPR doesn't help you there - that just ensures more people are breaking different laws. And this can get all your devices seized, land you in jail, end your career, cause thousands of Euros of equipment loss, because the new laptop naturally got lost in the return process after 6 - 12 months.
And thus, many people with the skill to find such problems and report them silently to get them closed do ... nothing. Until bad people find these holes and what the article describes happens. And Europe has hacker groups who could turn our cybersecurity upside down in a good way. Very frustrating topic.
> At the end of the trial, however, this had little impact on the verdict. The presiding judge stated for the record that the mere fact that the [publicly available] software had set a password for the connection meant that viewing the raw data of the [publicly available] program and subsequently connecting to the [publicly available] Modern Solution database constituted a criminal offense under the hacker paragraph.
Yes, taking publicly available data verbatim (no ROT13, nothing) and talking to a publicly available server on the internet can in fact be a criminal offense.
Thank you for providing an example that is exactly showing how messed up this is:
> Der Vorsitzende Richter gab zu Protokoll, dass alleine die Tatsache, dass die Software ein Passwort für die Verbindung gesetzt habe, bedeute, dass ein Blick in die Rohdaten des Programms und eine anschließende Datenbankverbindung zu Modern Solution den Straftatbestand des Hackerparagrafen erfülle
> The Judge gave to protocol that just the fact that the software requires a password for the connection, implies that a look at the raw data of the program and a subsequent database connection is considered hacking.
So yes, entering an empty password can cause all of your electronic devices in all your registered residences to be seized as evidence.
Note that the decompilation is on the complexity level of "strings $binary".
Germany is the most contradicdory country I know of, and such a huge warning flag to anywhere else. For decades, half of children's education has been spent on hammering in "Never Again". Surely there are two huge lessons to learn there: 1. Do not judge the value of people based on their biological characteristics they were born with 2. "I was just following orders" is not an excuse, and one needs to instead do what is right regardless of protocol.
There is no European country which does a worse job at both of these. Germany is easily the number one country in the world for "protocol is everything". It doesn't matter how detrimental and damaging the rules are, the rules are the rules, and they must be followed. This case is the millionth example. The rules are interpretable as it being illegal to access data with a publically available password using this password, so we're going to apply them, despite it being patently absurd. For the first point, German's reponse to Gaza (the slowest in all of the West) said everything.
> The rules are interpretable as it being illegal to access data with a publically available password using this password, so we're going to apply them, despite it being patently absurd.
I very much agree. I do think that this kind of ethical hacking should have a legal framework around it, to protect both sides during such an access. But this should be more on the basis of responsibly minimizing access to protected data as well as minimizing foreseeable damage.
For example - running a select on a database may show you private and protected data, but if this is done to validate a problem, fine. Start digging for data on specific persons? Touch something called "Pump Controls"? This would however require technologically competent judges, and those are rare.
As I said, a frustrating topic and it will become very interesting if a hostile state starts pushing on this.
German government and courts are as opportunistic as everywhere else. German government ignores EU laws (ex: water protection), its own courts (ex: air pollution court orders, time record keeping for teachers) and worker protection (ex: false self employment of music teachers).
"the patient records database was accessible via the internet; there was no firewall and, perhaps most egregiously, it was secured with a blank password, so anyone could just press enter and open it"
There _should_ be a bunch of people in jail for that. Including, but not limited to the CEO. It should also include all the people on the org chart between whoever set that database up and the CEO.
Indeed, the CEO was held criminally liable, but the charges were dropped in a higher court just recently. From the article:
"In April 2023, Tapio was found guilty of criminal negligence in his handling of patient data. His conviction was overturned on appeal in December 2025. (He declined my requests to interview him.)"
More specifically, he was charged of a data protection crime (i.e., note that in Finland these GDPR-like things are also in the criminal law). However, based on local news, I suppose there was not enough evidence that it was specifically a responsibility of a CEO or that CEO-level gross negligence occurred.
According to this report [1] the appeal was about specific requirements like encryption, and he claimed he had delegated it. So it is clear that it is hard to actually hold people responsible.
> The appellate court rejected the prosecution's argument and dismissed all charges. In its unanimous decision, the court stated that neither the GDPR nor the applicable Finnish healthcare legislation required encryption or pseudonymisation of patient data at the time in question.
> Prosecutors alleged that Tapio knew about the March 2019 breach and failed to act. They claimed he neglected legal obligations to report and document the incident and did not take sufficient steps to protect the database. Tapio denied the claims, saying he was unaware of the breach until autumn 2020 and had delegated technical oversight to external IT professionals.
> The court found there was no clear legal requirement at the time obliging Tapio, as CEO, to take the specific security measures cited by the prosecution. These included firewall management, password policies, access controls, VPN implementation, and security updates.
> According to the ruling, the failure to adopt such measures did not, in the court’s view, constitute criminal negligence under Finnish law.
> Tapio’s conduct during and after the 2019 breach did not meet the threshold for criminal liability, the court concluded.
It isn’t absolutely everything, it’s for negligence. If you don’t have basics in place, like independent pen-tests, ISO 27001 audits — or some equivalent — when you’re handling clinical data, then that’s negligence.
If a breach happens and you were seen to have followed best practice, you won’t be found criminally negligent.
That is part of being an executive. The buck stops with you — if you’re an executive, you’d better understand your obligations, you get the big bucks for a reason, it isn’t just a fancy job title.
Other people in the organisation can be held accountable for criminal acts, but when it comes to criminal negligence, it’s the executives that are liable, because it’s a systemic failure and you’re deemed to be in-charge of the system.
>if you’re an executive [...] you get the big bucks for a reason
In Finland? Notably wage-compressed Finland?
No comment on the specifics of this case, I agree with you that the executive should be where the buck stops. But you would be surprised how many various execs I have met here over the years who admit behind closed doors they really do treat it as a fancy job title that barely pays above their last position, but comes with 3x the stress, and they do it simply because, well, someone has to. You can't really be surprised that most of the folks here who you might want to be in the C-suite decide it's just not worth it, that remaining a middle manager or even an IC is simply a far better value proposition.
Posting anonymously here. I was on the leadership team of a Nordic public company, reporting to the CEO, presenting to the board and representing the company at the AGM. Total comp a little under $200k.
The compensation really didn’t match what you take on in terms of responsibility and legal liability. The stress was significant too. That said, as you point out, the work needs doing.
Recommended if you have an over-active sense of duty, not otherwise.
But this is not “absolutely everything”. No one is saying CEOs should be accountable for every action of an individual employee.
So if not the CEO, who is accountable when something like this breach happens? The CTO? The PM The DBA? Nobody? Maybe they’ll care developer who wrote the code or botched the configuration should be prosecuted?
CEOs can justify their pay be being accountable for what their company does. They’re the CEO, after all. Maybe they’ll care more when they have some actual skin in the game.
When a bridge fails, it is the professional engineer that signed off on that part. If you want someone to sign off on software or IT you will need to pay them quite a lot.
Yes, I would expect compensation to increase proportionally with accountability. What makes no sense is compensation that increases irrespective of accountability.
Being the CEO of a company that handles risky, sensitive things should be risky for the CEO, personally. And their compensation can reflect that.
That could be outlawed as well as it probably wouldn’t be too difficult to show that person wasn’t actually making any of the decisions. Not that I expect any of this will ever happen.
Funny whenever people complain about the GDPR here they're thinking they would be slapped with a €20Mi fine and that EU team 6 is going to parachute in their office and arrest everyone
Well, not for public bodies at least: “ Administrative fines cannot be imposed on public organisations, such as the government or state-owned companies, municipalities and parishes” [1]
But luckily this sort of thing never happens in the public sector. Except for when it does: https://yle.fi/a/74-20094950
That's interesting, because if you go here https://www.enforcementtracker.com/ there are a lot of public institutions being hit with fines (if they are enforced it's another issue) - search for Municipality for example
However I don't see any municipality in Finland getting fines
The law is written such that they could do all that to a small family business that forgot to delete their Apache logs, which isn't good and leaves room for abuse even if they pinkie swear it's only meant for big violations.
Only after informing you, giving you the opportunity to fix things and many many other steps. The harshness is directly related to the size of the company and the companies willingness to fix any issues. They want companies to comply.
Yes it was. The company was fined 20M EUR on standard GDPR-basis and went bankrupt (but unlikely due to the fine alone). Please re-read the above discussion.
>Exactly, was it a burglary when your front door is open
Legally speaking, yes in every place I've ever lived if all those things are the case it's still a burglary, although the cops may call the victim an idiot.
"Breaking and entering" it's a criminal offence, and walking through an unlocked front door back door doesn't count. If you are on someone's land but didn't have to break in then that's trespass, which is just a civil offense.
Theft is a crime in any case (indeed even if you're not on their land e.g. snatching a phone off the street).
> "Breaking and entering" it's a criminal offence, and walking through an unlocked front door back door doesn't count.
No breaking and entering is known as burglary. Also if you walk through the front door with the intent to commit a crime it is still burglary. The important part is trespassing with the intent to commit a crime.
OK, I probably should specify closer, but while the other commenter has noted there is "burglary" in the UK, I was using burglary in the vernacular, meaning you entered someone's house without their knowledge and stole some shit. I was perhaps unclear with this and in fact in some places what entering someone's house that is not locked and stealing some shit may be a different crime than when it is locked both variations are still generally described, in common usage, as a burglary and are both illegal according to every legal code of every place I've lived, which I've lived in a lot of Western Civ type places.
I am English. It took me all of like 30 seconds to look up the relevant law using Google. Most of Anglosphere has a definition of Burglary that is essentially the same and I suspect it is the same in Europe.
> Exactly, was it a burglary when your front door is open, lights on, spotlights on your wall safe, with the keys still inserted?
The thing isn't just the discovery of the "open door", though. Thousands of people were extorted in a pretty heinous way. Even if we say breaking in took little sophistication or effort, what was done with the data also matters.
Yes. Similarly, If I leave my car unlocked with the keys in the ignition, and someone takes it is still a crime. It might be unwise to do that (depending on where you are), but nonetheless it is still crime.
It's an odd position to take, that a crime was not committed or the offense isn't as bad if the difficulties of committing the crime have been removed or reduced.
Yes, it’s still wrong to take things but the guy should get like community service teaching white hat techniques or something. The CEO should be charged with gross negligence, fraud, and any HIPPA/Medical records laws he violated - per capita. Meaning he should face 1M+ counts of …
What does "the crime is less egregious" even mean?
Morally, you burglarized a home.
Legally, at least in CA, the charge and sentencing are equivalent.
If someone also commits a murder while burglarizing you could argue the crime is more severe, but my response would be that they've committed two crimes, and the severity of the burglary in isolation is equivalent.
Now, how do we apply that to today’s current events?
Is it still a crime if the roadblocks to commit the crime are removed? Even applauded by some? What happens when the chief of police is telling you to go out and commit said crimes?
Law and order is dictated by the ruling party. What was a crime yesterday may not be a crime today.
So if all you did was turn a key and now you’re a burglar going to prison, when the CEO of the house spent months setting up the perfect crime scene, shouldn’t the CEO at least get an accomplice charge? Insurance fraud starts the same way…
It's a common attitude with people from low-trust societies. "I'm not a scammer - I'm clever. If you don't want us to scam your system why do you make it so easy?"
The Internet is the ultimate low-trust society. Your virtual doorstep is right next to ~8 billion other peoples' doorsteps. And attributing attacks and enforcing consequences is extremely difficult and rather unusual.
When people from high-trust societies move to a low-trust society, they either adapt to their new environment and take an appropriately defensive posture or they will get robbed, scammed, etc.
Those naïfs from high-trust societies may not be morally at fault, but they must be blamed, because they aren't just putting themselves at risk. They must make at least reasonable efforts to secure the data in their custody.
It's been like this for decades. It's time to let go of our attachment to heaping all the culpability on attackers. Entities holding user data in custody must take the blame when they don't adequately secure that data, because that incentivizes an improved security posture.
And an improved security posture is the only credible path to a future with fewer and smaller data breaches.
We can start by stopping the use of posture like you’re squirming in your seat. I’ve heard that term for the last 10 years and never has it been useful. Policy yes, Practice if you must, Mandate absolutely, Governance required.
Using posture is a kin to modeling or showing off clothes, the likes of which will never see the streets. Let’s all start agreeing that the term is a rug cover for whatever security wants it to be. Without checks and balances.
If your posture is having your rear end exposed and up in public then…
It's a generic, albeit somewhat euphemistic term. I agree we could do with some better messaging. Dirty and direct is usually more effective. How about this framing?
The Internet is a dark street in rural India and your dumbass company is a pretty young white woman walking around naked and alone at 2AM. It's not your fault morally if someone rapes you, but objectively you're an idiot if you do not expect it. Now, you getting raped doesn't just hurt you; it primarily hurts people your company stores data about. Those rapists aren't going away, so we need you to take basic precautions against getting raped and we're gonna hold you accountable for doing dumb shit that predictably leads you to getting raped.
> If your posture is having your rear end exposed and up in public then…
Right, that is most companies' current security posture: Naked butt waving in the air. "Improving your security posture" is just a euphemism for "pull your pants up and put your butt down".
> Using posture is a kin to modeling or showing off clothes, the likes of which will never see the streets. Let’s all start agreeing that the term is a rug cover for whatever security wants it to be. Without checks and balances.
No, I will not agree with that; that's ridiculous. "Improve [y]our security posture" is not some magic talisman used to seize unchecked power within an organization. It's basically just the Obama Doctrine brought to computer security: "Don't do stupid shit".
“Improve [y]our security posture” absolutely is without a definition of posture. Does that mean more monitoring? More security team members?
Posture is no replacement for a plan.
Originally it was “how we follow our plan” but that has since been thrown out the window. Now, posture is code word for cover.
I don’t mean to vent it’s just tiring having to deal with varying degrees of posturing where everyone is just haphazardly laying on a couch watching TV.
Someone presented a hypothetical scenario: What if a hacker would write a virus, which breached a totally unprotected database after the hacker has passed away. It's clear that the therapy provider is at least partially responsible.
I'm not well versed in Finnish law - but in the USA simply the act of accessing a computer without authorization, even if it not secured, can be a crime under the CFAA. So the company is still a victim, and obviously the patients as well, even if they are incompetent. For the same reason that a person that gets burgled because they left their door unlocked when they left the house is still a victim.
But if you attest that your computer system is not accessible by any passersby in order to pass compliance, is that not also a crime? If it is indeed accessible to just anyone? HIPAA law violations and all that
I’m not arguing the person who stole didn’t commit a crime - just a lesser one than actually breaking in, cracking a safe, and making off with the jewels. I think the CEO and executive staff are culpable.
Yup, I heard of an ERP full of microservices and many endpoints dont check authorization at all and the auth mechanism doesnt check valid user credentials. Seems like they are very common.
Still reading the story but just hit that line and came here to snarkily post, “another MongoDB success story”. I should probably talk to my therapist about this desire to be seen as funny.
Unfortunately that relies on Joe Tidy as the source.
I tend to refrain from being overly critical of journalists who write about me, but Joe Tidy is a special kind of idiot who wrote an entire book about me based mostly around interviews of people who aren't actually the people they claim to be.
I am indeed the guy in the article. My side of the story is fairly boring, didn't do crime but got blamed for it anyway by desperate cops. The whole investigation has been bizarre, for example, no-one has ever searched my homes, or even attempted to seize my personal devices.
Should find out within the next couple of months if the appeals court decides to acquit.
In some circumstances it has a registration wall. I recently ran into it on one of my computers, and it prevented me from reading some articles until I removed the modals with browser devtools. Stupid and pointless, and just pushes people away or towards workarounds like archive.is. I've given The Guardian money in the past but I don't have or want an account.
Just because you immediately clicked "yeah sure sell all my data so I don't have to pay" doesn't mean it's not paywalled, please be a little more discerning.
He’s done less than seven years of time, shows no remorse and even denies doing it in the first place. You dropped the ball on this Finland, don’t be surprised when he does it again. What a disgusting human being.
I'd bet good money that this dude has some sort of antisocial personality disorder, and really can't be "cured", so to speak.
Something tells me he'll try to sneak out of Finland (which is easy due to Schengen), purchase a new passport, and leave Europe.
I guess a silver lining here is the possibility that he'll commit crimes in countries with far harsher penalties than Finland.
I've lived in Finland myself, and currently live in Norway. Lax punishments for the sake of rehabilitation is the standard, and I'm fine with that. But some people, like this one, simply can't be rehabilitated.
As per (AFAIK) this hacker's rant on some Tor-based image board, he gloated the login credentials to the Vastaamo's systems were admin:admin. So much for 'hacker god'. This is a Hackers (1995) tier vulnerability. Also, it's sickening that YOLOing security to this extent is even possible in 2020s.
This isn't a great solution, but it has helped me forgive myself, maybe it can be a trend in the future: You didn't pick your DNA, you didn't pick your environment. (Determinism in a nutshell)
The bad things that happened to you, and the bad thing you did, should be seen as somewhat outside our control.
I think of my worst google searches (nsfw stuff) and think: "Well, I'm just a chemical reaction."
But then again, I read the book A Billion Wicked Thoughts and found I'm pretty vanilla, we just don't talk about these things out loud.
Maybe my life is tame, but even when I hear from other people, everything seems pretty reasonable.
I know this is an 'after the fact' fix, but its a tool for our toolbox. We could look at people who criticize us as people who are ignorant of Determinism. (But we still need mechanisms to deter bad behavior)
Any insurance covered therapy in the US. And assume any private practice that does not explicitly state they do not electronically store session notes.
Apart from therapy, I expect a lot of sensitive and private information to be hacked and released in the next 10 years. Most importantly, all non securely encrypted text based communications.
Which begs the question why this all has to be put in electronic form.
Using your face or fingerprint to unlock things, which anyone can steal. Many people even have their retinal scans stored in their opticians' databases which won't be secure either as biometric ID.
Ethically speaking it seems like you should not be accessing commercial news sites if you're not willing to pay in some way for the work of the people writing the articles.
Show context-based ads instead of spying on people would be a good start. That should be the only form of legal advertising. It is for sure the only form of potentially ethical advertising.
I also pay to get past paywalls when a site has content I want to read, rather than try to sneak past using some dodgy mirror.
"Jazz police are looking through my folders. Jazz police are talking to my niece. Jazz police have got their final orders. Jazzer, drop your axe, it's jazz police!"
[1] https://en.wikipedia.org/wiki/Vastaamo_data_breach#Backgroun...
[2] https://news.ycombinator.com/item?id=24672687
reply