The file server folder on the city's internal network has had too broad permissions.

The permissions for a single folder on the city of Riihimäki's internal network file server have been unnecessarily broad. The issue emerged during the city's information management development project, which systematically reviews the city's file servers and network drives. The project was launched to prepare for the transition to cloud services.

The file server folder permissions were correctly restricted on the same day the anomaly was discovered, Monday, September 22, 2025.

The file server folder contained the names and personal identification numbers of thousands of Riihimäki comprehensive school students and their guardians from 2014. The transfer folder, intended as a temporary folder, had been created for the 2014 student administration system change. The folder should have been deleted after the system change. However, the folder had not been deleted and its read rights within the city were too broad. Technically, it has been possible for all city employees to read the files. The correct definition would have been part of the personnel in the education and welfare sector.

There is no information on abuse.

The city is currently not aware of any attempts to exploit the information security vulnerability resulting from overly broad user rights for improper purposes.

The city's deputy data protection officer filed a data breach notification with the Office of the Data Protection Ombudsman on Monday, September 22. An organization must file a notification with the Office of the Data Protection Ombudsman when there is reason to suspect that personal data has been processed in violation of data protection regulations, even if no abuse is suspected.

“A personal data breach is a serious matter. The city has an operating model for such a situation, which was launched immediately after the matter came to light. We are actively working to develop information management. Since 2024, we have had an extensive city-wide project underway to systematically review the organization's information processing. The old folder that we received is an example of information management that does not meet current requirements,” says CFO Pekka Karvonen.

The city is not currently aware of any misuse of the data. If you suspect that a security vulnerability resulting from overly broad access rights has been misused, please contact the city's data protection officer. privacy@riihimaki.fi or 050 523 7304 (calls only).