Image: Yle

The client, Korpelan Voima power utility won the original case against Enerit. At that time a lower court ruled that that the IT company had shown extreme neglect in fulfilling its contract.

Enerit was contracted to provide IT services for Korpelan Voima and its power distribution subsidiary Korpelan Verkko in 2006.

Four years ago, the consortium of local municipalities that own the utility company brought in a private expert to evaluate its IT security. The expert found that Enerit had ignored 23 separate orders or bans established by the municipalities' computer security policy.

Spam, porn and slack security

Firewall security settings were so inadequate that they allowed outside access to the company's intranet, including customer data and Korpelan Voima's main server which ran critical company operations.

It was found that the installed spam filter passed along unscanned emails from a Finnish dating service and a German website offering adult entertainment videos. In addition, an IT company employee had downloaded 20,000 pornographic pictures, 250 movies, over 1000 pieces of music and installed BitTorrent file-sharing software.

According to the case filed by Korpelan Voima, the employee used only a third of hours invoiced for work.

The expert's evaluation was that slack security arrangements led to a potential threat that could have targeted the company's entire electricity supply distribution and control. IT security arrangements were deemed to be both outdated and systematically neglected. The appeals court agreed with the evaluation in its ruling.

Double damages

Under the earlier district court ruling, Enerit was ordered to pay Korpelan Voima and its distribution subsidiary 80,000 euros in damages for endangering its IT security. The appeal court has now raised that to 160,000.

Enerit itself is jointly owned by three power utilities, Korpelan Voima, Kokkolan Energia and Vaasan Sähkö.