The District Court of Western Uusimaa has issued a verdict in the largest case in Finnish criminal history, measured by the number of victims.
The district court has sentenced Aleksanteri Kivimäki 6 years and 3 months in prison for the crimes related to the data breach of the Counter.
The district court accepted all charges of aggravated data breach, attempted aggravated blackmail, more than 9,200 aggravated dissemination of information infringing private life and nearly 21,000 aggravated blackmail attempts and 20 aggravated extortion.
The district court considers that the course of events that led to the indictment was largely clarified in the case.
Psychotherapy center Vastamo’s information system was hacked in November 2018, and the company’s patient database was illegally copied in this context.
After this, the counter and its customers were blackmailed in the fall of 2020, and customers’ very sensitive information was spread online.
In the data breach, the patient data of 33,000 Vastaamo customers was taken. Of the victims, 24,000 filed a criminal report.
Agreeing on compensation mitigated the punishment
The prosecutors demanded that Kivimäki be sentenced to 7 years in prison, which would have been the maximum punishment for the crimes.
Thousands of data breach victims joined the prosecutor’s demand in court. Kivimäki denied all the charges.
The district court considered that, taking into account the seriousness of the acts, the way they were done and Kivimäki’s extremely reckless attitude, the length of the prison sentence would be approximately 6 years and 7 months.
However, when measuring the punishment, the district court took into account the fact that Kivimäki, through the intercession of his defense attorney, had begun to agree on conditional settlements with thousands of interested parties who had submitted claims for compensation during the main hearing.
Instead, the district court did not accept Kivimäki’s demand that the media publicity received by the case should have been taken into account as a mitigating punishment.
The district court ordered Kivimäki to be kept in custody. According to the court, there has been no evidence in the case that detention would also be unreasonable considering the nature of the acts attributed to Kivimäki, his age and his other personal circumstances.
Kivimäki was disappointed with the verdict
Kivimäki’s lawyer Peter Jaari says that Kivimäki still denies having committed the crimes and considers that on this basis the charges should have been dismissed.
According to Jaari, Kivimäki is disappointed with the verdict and considers it incorrect. However, even such a solution could be prepared in advance.
– We knew how to expect the worst, of course. It was expected that the district court, under this pressure, would evaluate the evidence in such a way that he would be convicted of crimes, says Jaari.
According to Jaari, Kivimäki is very likely to appeal the sentence.
Court: None of the evidence excluded guilt
The district court stated that none of the evidence presented in the case alone showed that Kivimäki was guilty of the crimes described in the indictment. On the other hand, no evidence excluded Kivimäki’s guilt either. In the evaluation of the evidence, the evaluation of the evidence as a whole was therefore relevant.
The district court found that the crimes had been committed on a server that Kivimäki had been found to have used more than he admitted. Kivimäki had also been found to have used the encryption key and the IP address relevant to the criminal entity in a way that he had denied in the trial.
It was also significant that the server complex connected to the commission of the crime was related to the operations of a company partially owned by Kivimäki, and that the company’s business idea was also essentially related to the way in which the criminal complex was committed.
The panel discussion also supported guilt
According to the district court, Kivimäki’s guilt was also supported by the fact that Kivimäki had published messages related to the data breach and extortion of Vastaamo on the forum Ylilauda under his pseudonym in a purposeful, purposeful and fixed temporal connection with the extortion actions.
The district court found it implausible that Kivimäki would have been able to publish the messages in the way he did, if he had been outside the criminal organization and had only learned about it from the Supreme Court discussion or, for example, from the media.
From the point of view of guilt, it was also important that the fake purchase made by the Central Criminal Police had been shown to have ended up in Kivimäki’s bank account with the highest probability.
Kivimäki’s background influenced the criminal suspicions
Kivimäki’s name came up at the very beginning of the data breach investigation because of his previous criminal background and expertise. The defense considered that Kivimäki was punished because of the online crimes he committed as a minor.
Kivimäki was arrested in France on suspicion of crime in February of last year, extradited to Finland and imprisoned. The police investigation was completed at the end of August. The trial began in October and lasted until March.
Kivimäki has been imprisoned for well over a year, except for a short period of about a week.
Kivimäki is also suspected of other data breaches
In addition to the data breach at the office, Kivimäki is suspected of hacking into more than 14,000 servers in November 2018. He is also suspected of a smaller data breach, in which there is also another suspect.
If these criminal suspicions also lead to charges, they will be dealt with in court later.
Stealing customer information at the counter has already led to one criminal conviction in the past.
In April of last year, the Helsinki District Court sentenced the former CEO of Vastaamo Ville Tapio to a three-month suspended prison sentence for a data protection offence. The verdict is not legally binding, as it was appealed to the Helsinki Court of Appeal. The trial will begin in May 2025.