[smcin]

Depends what you mean: wrt. Vastaamo, if he had simply contacted the company and not crossed over into extortion, he was doing something potentially white/grey-hat hacker by exposing they had almost zero data security and were violating GDPR, SarbOx and presumably a truckload of related Finnish and EU laws.

[smcin]

...because given how nonexistent Vastaamo's security was, it was only a matter of time that they would ultimately have gotten compromised or ransomwared, if not by Kivimäki then by someone else. So whether Kivimäki ever existed or not, doesn't change the inevitable outcome. And Vastaamo's CEO went to jail for GDPR violations. There's also the unexplained mystery of why Keskinen (the DPO) and Lind had no sysadmin password and no firewalls, even after they had been criminally investigated for a previous incident. Also, the Finnish DPA wasn't exactly proactive about checks, either.

(To be clear, Kivimäki was a scumbag.)

So, there's lots of responsibility to go around.