Security expert highlights vulnerabilities in Wilma system affecting thousands of students in Finland

Security issues revealed in the Wilma system are not new to Jyri Karppinen of Withsecure. As a cybersecurity expert, Karppinen notes that weaknesses in username-password combinations frequently arise in investigations related to data breaches and cyberattacks. He considers the Wilma case particularly serious due to the presence of sensitive information, indicating that the data of potentially thousands of schoolchildren and students may have been compromised due to the weak protection of test accounts. If this information falls into the wrong hands, it could be used for extortion against educational institutions or individuals.

Karppinen emphasizes that the solution to this problem should be addressed at both the educational and system levels. He suggests that the service should require stronger passwords or implement two-factor authentication. However, Visman, the software company behind Wilma, states that it cannot mandate two-factor authentication because the system is also used by minors.

If contracts allow, the provider could implement stricter requirements regarding the format, complexity, and length of passwords. Karppinen insists that there are system-level solutions to address the issue.

According to reports, weak username-password combinations in Wilma could be discovered using a brute force technique, which employs computers to try countless combinations to gain access. Initially, Visman’s business manager claimed such intrusions were impossible, but later retracted this statement. Karppinen advises limiting the number of login attempts to help protect against brute force attacks, noting that many larger companies restrict attempts to five. If limits cannot be set and two-factor authentication is unfeasible, passwords should be longer and sufficiently complex to deter such attacks, prolonging the time needed to crack them from hours to potentially hundreds of years.