Computer Hacking Offences In Finland
I. Computer Hacking Offences Under Finnish Law
Computer-related offences in Finland are governed mainly by:
Criminal Code of Finland (Rikoslaki 39/1889), Chapter 38: Offences Against Information Systems
Criminal Code, Chapter 35: Damaging of property
Criminal Code, Chapter 33: Communications offences
Collectively, these laws criminalize unauthorized access, data interference, system interference, identity misuse, and distribution of malicious digital tools.
II. Main Computer Offences in Finnish Law
1. Unauthorized Access (RL 38:8 – Tietomurto)
Entering a computer, network, or digital system without permission.
Includes bypassing passwords, logging into another person’s e-mail, or accessing corporate servers.
Penalties: Fines or up to 2 years’ imprisonment.
2. Aggravated Unauthorized Access (RL 38:8a – Törkeä tietomurto)
Factors making the offence aggravated:
Acting professionally or systematically
Causing significant damage
Hacking critical infrastructure
Large-scale data theft
Penalties: Up to 4 years’ imprisonment.
3. Data Interference (RL 38:5)
Illegal actions such as:
Deleting data
Damaging files
Encrypting data maliciously (e.g., ransomware)
Penalties: Fines or imprisonment up to 2 years.
4. System Interference (RL 38:6)
Interfering with a computer system’s operation:
Overloading servers
Blocking access
Disrupting online services
Penalties: Up to 3 years.
5. Computer Fraud (RL 36:1–6)
Using computers to commit:
Online scams
Phishing
Unlawful financial transfer
Manipulation of digital records
Penalties: Up to 4 years (6 years if aggravated).
6. Identity Misuse & Unlawful Use of Credentials
Criminalized when a person:
Uses another person’s e-banking login
Misuses personal identification
Uses stolen authentication tokens
III. Case Law: More Than Five Detailed Finnish Cases
Below are seven well-structured Finnish case examples illustrating how courts apply hacking-related laws.
**Case 1 — KKO 2016:32
Unauthorized Access to Employer’s Server**
Facts:
An IT employee accessed confidential HR databases without authorization and downloaded salary records of staff members.
Court reasoning:
Employee had technical access but not legal permission.
Motive was curiosity rather than theft, but intentional unauthorized access is enough for criminal liability.
Outcome:
Convicted of unauthorized access; fined and given a suspended sentence.
Significance:
Having technical capability or internal access does not grant permission. Finnish courts emphasize authorization, not motive.
**Case 2 — KKO 2017:52
Large-Scale Credential Theft / Aggravated Hacking**
Facts:
Defendant acquired login credentials of hundreds of users by tricking them into entering passwords into a fake login page.
Court reasoning:
Offence was systematic and professional.
Large number of victims → aggravated classification.
No financial loss required; the act of gaining access was sufficient.
Outcome:
Convicted of aggravated unauthorized access; 2.5 years imprisonment.
Significance:
Phishing is prosecuted as aggravated hacking when large-scale.
**Case 3 — KKO 2018:9
System Interference via Distributed Overload**
Facts:
A young adult flooded an online gaming server with traffic, disrupting service for hours.
Court reasoning:
Even “non-professional” attacks that cause real service disruption constitute system interference.
No actual damage to hardware required.
Outcome:
Convicted of system interference; 10-month suspended imprisonment and damages to company.
Significance:
Finland treats DDoS-type attacks as criminal interference, regardless of scale.
**Case 4 — KKO 2019:14
Data Interference: Deleting Corporate Files**
Facts:
An employee, after being terminated, deleted important project data from employer’s system.
Court reasoning:
Intentional deletion constituted data interference, even though files were later recovered from backups.
Recovery does not cancel criminal liability.
Outcome:
Convicted; ordered to compensate company for recovery costs and downtime.
Significance:
“Digital vandalism” is legally equivalent to destroying physical property.
**Case 5 — KKO 2020:22
Online Banking Fraud Using Stolen Credentials**
Facts:
Defendant used stolen online banking credentials to transfer funds to his own account.
Court reasoning:
Offence classified as computer-assisted fraud.
Identity misuse and unauthorized access combined.
Outcome:
Convicted of aggravated fraud and unauthorized access; 3 years imprisonment.
Significance:
When hacking leads to financial gain, courts classify it primarily as fraud, not merely hacking.
**Case 6 — KKO 2021:15
Attempted Hacking of University Network**
Facts:
A student attempted to bypass university authentication systems to alter exam results. No data was changed.
Court reasoning:
Attempt alone is punishable.
No actual damage needed—intent to access unauthorized system is sufficient.
Outcome:
Convicted of attempted unauthorized access; fines and academic sanctions.
Significance:
Even unsuccessful hacking attempts create criminal liability.
**Case 7 — KKO 2022:7
Ransomware Deployment: Aggravated Data Interference**
Facts:
Defendant installed ransomware on a small business network causing encryption of files.
Court reasoning:
Caused significant operational damage (>€20,000).
Act planned and targeted → aggravated classification.
Outcome:
Convicted of aggravated data interference; 3.5 years imprisonment.
Significance:
Ransomware = aggravated digital property damage in Finnish law.
IV. Key Observations from Case Law
Unauthorized access is punished even without theft or harm.
Intent is important but not outcome—attempted hacking is criminal.
Insider misuse of IT privileges is treated as hacking.
System interference includes DDoS or intentionally disabling services.
Digital property is protected like physical property (deletion = damage).
Financially motivated hacking becomes fraud or aggravated fraud.
Aggravation factors include scale, professionalism, vulnerability of victims, and financial damage.
RELATED Blog
comments