This morning Finnish tabloid Iltalehti broke the news that a three person team looking to submit a Tekes application found a security hole in Tekes‘ application system, allowing them to download a database of 20,000 companies’ corporate strategy and confidential information. Tekes, the Finnish Funding Agency for Innovation supplies publicly funded grants and low interest loans to startup companies, research organizations, and larger Finnish corporations alike.
The team was able to download this information through an exploit in PDF printing, which was found at the end of February. In contrast to Iltalehti’s numbers, Tekes says this included 3,622 clients and 8,323 applications. The exploit only gained access to applications submitted from June of 2013 and includes only written forms and drafts, while not including any uploaded attachments.
Anne Palkamo, lead of communications for Tekes says that all of the companies have been informed this morning.
After the team downloaded the database, Iltalehti reports that the company then had concerns about submitting their own application to Tekes, and informed the organization. Police then arrested two of the three suspects, with one still outside police custody.
Reijo Kangas, an Executive Director at Tekes focused on Growth companies tells ArcticStartup that they expect that the information hasn’t been used, but they’re not sure about it yet. The police arrests and investigation is an attempt to get to the bottom of this question, but raises issues if Tekes and the police are shooting the messenger and scaring off future exploit reporting, considering the team alerted Tekes. In contrast, larger tech organizations like Facebook and Google provide a Bug Bounty program that pays out rewards to ethical hackers.
Entrepreneurs will tell you that ideas don’t matter – it’s how you execute on an idea that counts, but this still raises questions about data security. “Maybe my cases aren’t super secret, but if were doing something patentable I would talk to them about how they secure data from now on,” says Teppo Hudson, CTO at Cosmethics.
Antti Vilpponen, CEO of Upcloud says (in a more nuanced comment below) that they haven’t done any projects through Tekes, but they wouldn’t be too worried in the future. “It’s basically how we at UpCloud relate to security breeches – we haven’t had any – but with any security breeches with technology failing, and the big question is how you respond to it.”
“They began to disclose or inform their customers about it, and they patched it. They did what anyone expected them to do.”
The Tekes contacts we spoke to say that they haven’t received too much concern from entrepreneurs, and the mood on Twitter seems to be more a more sarcastic response about shooting the messenger than furious about data leeks. What’s your take on the news?
Top photo by Susanna Lehto