WIRED – JERE WOKE UP on the morning of October 24, 2020, expecting what Finnish college students call normi päivä, an ordinary day.
It was a Saturday, and he’d slept in. The night before, he had gone drinking by the beach with some friends. They’d sipped cheap apple liqueur, listened to Billie Eilish on his boom box. Now Jere (pronounced “yeh-reh”) needed to clear his head.
He was supposed to spend this gray fall day on campus, finishing a group physics project about solar energy.
The 22-year-old took a walk around the lake near his apartment outside Helsinki. Then, feeling somewhat refreshed, he jumped on the bus.
The day went quickly. Jere caught up with his friends, many of whom he hadn’t seen since the pandemic began. They chatted about their Christmas plans, ordered pizzas from a favorite local spot, and knuckled down to work in the cafeteria.
At around 4 pm, Jere checked Snapchat. An email notification popped up on his screen. His hands began to shake.
The subject line included his full name, his social security number, and the name of a clinic where he’d gotten mental health treatment as a teenager: Vastaamo. He didn’t recognize the sender, but he knew what the email said before he opened it.
A few days earlier, Vastaamo had announced a catastrophic data breach. A security flaw in the company’s IT systems had exposed its entire patient database to the open internet—not just email addresses and social security numbers, but the actual written notes that therapists had taken.
A group of hackers, or one masquerading as many, had gotten hold of the data. The message in Jere’s inbox was a ransom demand.
“If we receive €200 worth of Bitcoin within 24 hours, your information will be permanently deleted from our servers,” the email said in Finnish.
If Jere missed the first deadline, he’d have another 48 hours to fork over €500, or about $600. After that, “your information will be published for all to see” … Click here to read more.