Yes. The 2018-9 breach and cyberextortion involving Finland's mental-health startup Vastaamo.
- CEO Ville Tapio was convicted criminally under the GDPR.
- The company failed in 2021.
- Finland's NBI tightened criminal code on privacy violations of data subjects, either intentionally or through gross negligence, if they cause damage or significant inconvenience to the data subject.
> The Helsinki Court of Appeal has overturned the criminal conviction of Ville Tapio, the former CEO of psychotherapy provider Vastaamo, in a case linked to one of Finland’s most serious data breaches. The court ruled on Thursday that Tapio was not criminally liable for alleged data protection failures related to the unauthorised access and publication of tens of thousands of patients’ sensitive information. Tapio had previously received a three-month suspended prison sentence from the District Court of Helsinki in spring 2023.
No prison time, and the conviction was overturned. Your post rather got my hopes up when it suggested that a CEO faced consequences...
They did: the Finnish CEO was criminally charged and convicted (under GDPR); that never happens in the US. (I wasn't aware it was overturned on appeal in 12/2025, neither is Wikipedia currently).
They did face consequences. That ex-CEO (and CTO) also essentially had their reputations shredded, and their behavior was publicly scrutinized (have you ever seen the Comcast CEO grilled by Congress? I haven't). Sure, it would be better if they had actually gone to prison. But my point is GDPR has teeth, unlike US state digital privacy laws.
> have you ever seen the Comcast CEO grilled by Congress?
I seem to recall some media circuses here and there about CEOs being subpoenad by Congress, for example Zuckerberg. I don't really consider that a consequence in any meaningful sense.
Apparently the appeals court also released the hacker, even though his extortion led directly to the suicide of two people, and damage to thousands of others. Maybe the GDPR was meant to have teeth, but I can't help but wonder if the Helsinki Court of Appeals is for sale.
I share your outrage about companies abusing users' data, but we're mixing up several different things:
- the Vastaamo ex-CEO was in fact criminally tried and convicted (even if that conviction was overturned on eventual appeal) and had his reputation destroyed. That compares well for GDPR vs US state privacy laws, which is what I was saying to you. That was my point by saying the US Comcast CEO hasn't been grilled by Congress on those (he has on media mergers, but not his company's business practices). I'm agreeing with you that Congressional grillings aren't consequences in any meaningful sense.
- the Vastaamo hacker was not charged under GDPR, they were charged with criminal offenses: aggravated data breach, aggravated attempted extortion, aggravated distribution of information infringing private life, blackmail, breach of confidentiality and falsification of evidence.
- I was not aware the Vastaamo hacker had been freed after serving part of his sentence (although his conviction was not overturned), but it seems [0] it might have been for implicating other people in the cyberextortion/ransomware ring. And since those people were operating in countries without much rule of law, we'd expect actions were taken that didn't involved courts or journalists. I can't find any press coverage of that part.
But now that it has happened once, will they ever do it again? A lot of innocent people lost their jobs because of not fault of their own. I'm putting this in the context of the NCAA punishment given to SMU frequently referred to as the death penalty. The NCAA has since said they would not do that again as there was a lot of unanticipated collateral damage from that punishment decision
Violators of GDPR (personal data) may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.
Under NIS2 (cybersecurity), financial penalties may be up to either €10 million or 2% of the global yearly revenue, again, whichever is the greater amount.
This article is from a couple weeks ago, the same day ADT submitted "Other Information" to the SEC about unauthorized access:
https://www.sec.gov/Archives/edgar/data/1703056/000170305626...
Again sigh
2024 Home security giant ADT says it was hacked (34 points, 14 comments) https://news.ycombinator.com/item?id=41193157
2021 Home Security Tech Hacked into Cameras to Watch People Undressing and Having Sex (32 points, 6 comments) https://news.ycombinator.com/item?id=25876366
2015 How to Hack an ADT Alarm System (78 points, 68 comments) https://news.ycombinator.com/item?id=8947172
It’s an overstatement to call the 2021 incident a “hack”.
If we want to use the word hack as a general term to describe the exploitation of notoriously weak security, then it's appropriate...
What about this one https://www.exploit-db.com/ezines/kr5hou2zh4qtebqk.onion/GoD...?
There’s no real consequence for security breaches. No fine. No reimbursement to the victims. No jail time for the CEO and board.
Are there real consequences in any country?
That helthcare CEO in NY comes to mind.
Yes. The 2018-9 breach and cyberextortion involving Finland's mental-health startup Vastaamo.
- CEO Ville Tapio was convicted criminally under the GDPR.
- The company failed in 2021.
- Finland's NBI tightened criminal code on privacy violations of data subjects, either intentionally or through gross negligence, if they cause damage or significant inconvenience to the data subject.
https://news.ycombinator.com/item?id=40210873
> The Helsinki Court of Appeal has overturned the criminal conviction of Ville Tapio, the former CEO of psychotherapy provider Vastaamo, in a case linked to one of Finland’s most serious data breaches. The court ruled on Thursday that Tapio was not criminally liable for alleged data protection failures related to the unauthorised access and publication of tens of thousands of patients’ sensitive information. Tapio had previously received a three-month suspended prison sentence from the District Court of Helsinki in spring 2023.
No prison time, and the conviction was overturned. Your post rather got my hopes up when it suggested that a CEO faced consequences...
They did: the Finnish CEO was criminally charged and convicted (under GDPR); that never happens in the US. (I wasn't aware it was overturned on appeal in 12/2025, neither is Wikipedia currently).
They did face consequences. That ex-CEO (and CTO) also essentially had their reputations shredded, and their behavior was publicly scrutinized (have you ever seen the Comcast CEO grilled by Congress? I haven't). Sure, it would be better if they had actually gone to prison. But my point is GDPR has teeth, unlike US state digital privacy laws.
> have you ever seen the Comcast CEO grilled by Congress?
I seem to recall some media circuses here and there about CEOs being subpoenad by Congress, for example Zuckerberg. I don't really consider that a consequence in any meaningful sense.
Apparently the appeals court also released the hacker, even though his extortion led directly to the suicide of two people, and damage to thousands of others. Maybe the GDPR was meant to have teeth, but I can't help but wonder if the Helsinki Court of Appeals is for sale.
I share your outrage about companies abusing users' data, but we're mixing up several different things:
- the Vastaamo ex-CEO was in fact criminally tried and convicted (even if that conviction was overturned on eventual appeal) and had his reputation destroyed. That compares well for GDPR vs US state privacy laws, which is what I was saying to you. That was my point by saying the US Comcast CEO hasn't been grilled by Congress on those (he has on media mergers, but not his company's business practices). I'm agreeing with you that Congressional grillings aren't consequences in any meaningful sense.
- the Vastaamo hacker was not charged under GDPR, they were charged with criminal offenses: aggravated data breach, aggravated attempted extortion, aggravated distribution of information infringing private life, blackmail, breach of confidentiality and falsification of evidence.
- I was not aware the Vastaamo hacker had been freed after serving part of his sentence (although his conviction was not overturned), but it seems [0] it might have been for implicating other people in the cyberextortion/ransomware ring. And since those people were operating in countries without much rule of law, we'd expect actions were taken that didn't involved courts or journalists. I can't find any press coverage of that part.
[0]: https://www.bitdefender.com/en-us/blog/hotforsecurity/vastaa...
> Apparently the appeals court also released the hacker
The court of appeals found me guilty, despite the evidence clearly not supporting that conclusion.
I rather doubt it's because they're for sale, rather it would have been too damaging for the government to admit that they had framed me.
But now that it has happened once, will they ever do it again? A lot of innocent people lost their jobs because of not fault of their own. I'm putting this in the context of the NCAA punishment given to SMU frequently referred to as the death penalty. The NCAA has since said they would not do that again as there was a lot of unanticipated collateral damage from that punishment decision
In EU:
Violators of GDPR (personal data) may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.
Under NIS2 (cybersecurity), financial penalties may be up to either €10 million or 2% of the global yearly revenue, again, whichever is the greater amount.
ADT is the company that sells signs you put in your front yard to make burglars consider robbing your neighbors instead, right?
Don't forget the predatory door-to-door salesman implying you're going to get your house shot up and robbed tonight if you don't sign up now.
The only difference is instead of being robbed one time, you get robbed monthly for an overpriced three to six year commitment.