Update on the mobile device management data breach identified on 30 January

Valtori identified a data breach on 30 January 2026 in the mobile device management service it provides. The attacker gained access to information used in operating the service, including names, work email addresses, phone numbers, and device details. A user’s precise location cannot be determined based on this data. According to current information, no data stored directly on the mobile devices themselves has been compromised.

During the investigation on the afternoon of Thursday, 5 February, it became evident that the scope of compromised data is significantly broader than previously assessed. Earlier estimates indicated that user data related to approximately 20,000 devices had been compromised. In light of new findings, the incident may involve a substantially larger number of users of the Government’s shared ICT services (approximately 50,000).

Investigations have shown that the management system did not permanently delete removed data but only marked it as deleted. As a result, device and user data belonging to all organizations that have used the service during its lifecycle may have been compromised. In certain cases, a single mobile device may have multiple users.

Valtori operates several different management systems, and the situation does not affect all customer agencies, nor does it involve devices connected to the secure network used by security authorities. The investigation is still ongoing, and we will provide further updates as more information becomes available.

Root cause: a zero-day vulnerability in the mobile management solution

The attacker exploited a vulnerability in a commercial software product used by Valtori. When the vulnerability became public on 29 January, no security patch was yet available. Valtori installed the corrective update immediately on the afternoon of Thursday, 29 January, once it was released, and later stopped the attacker’s activity by isolating the mobile device management service from the network.

Valtori maintains preparedness for various cyber threat situations through 24/7 monitoring, active cooperation with authorities, technical detection and protection measures, and regular exercises. Cyber threat situations are handled in accordance with strictly defined information security processes and detailed, continuously updated operational guidelines.

Valtori’s customers are government agencies. The Finnish central government employs approximately 77,000 people (tutkihallintoa.fi).

We will update this news item as needed with the latest information.

Update February 9

According to current information, the data breach has affected organizations that use or have previously used mobile device service (on-prem), as well as organizations that use or have previously used government domain service. If an organization has not been within the scope of either of these services, the situation does not, based on current knowledge, concern that organization.

Valtori aim to provide organization-specific, more detailed information on the compromised data as soon as possible. However, the investigation and data analysis are still ongoing and will take more time.

Further information

Director General Hannu Naumanen, [email protected]