Thousands of students’ personal data at risk due to vulnerabilities in Wilma system in Finland

According to information received by Yle, the personal data of thousands of schoolchildren and students may have been at risk of falling into the wrong hands due to vulnerabilities in the Wilma system. The issues are primarily linked to weak combinations of usernames and passwords. The Wilma system is utilized by teachers, parents, and students, as well as some companies.

The software company Visma, which developed Wilma, has warned schools and clients about serious phishing attempts. Yle contacted several educational institutions and confirmed that the security issue is genuine, with access possible using weak credentials. Users were able to access the same information as school staff. The situation was promptly addressed.

Responsibility for data security lies with the education providers, making it unclear how widespread the problem is. Different schools may focus on data protection to varying degrees. Schools manage the creation and distribution of Wilma usernames and passwords, and it appears easily guessable credentials may have been created for testing purposes; some may have existed for years. Reports suggest that weak password combinations with extensive access rights could be found in dozens of institutions across Finland.

After Yle’s inquiries, Visma alerted users of serious phishing threats, urging them to take immediate action and filed a police report, highlighting the potential exposure of students’ data in various municipalities. Visma had previously warned about risks associated with test accounts upon detecting suspicious login attempts.

Visma emphasizes that each customer or institution has its own Wilma instance, which they can customize, and they do not control the credentials created by clients or have access to client data.