Danes Blame Bug for ID Leak Affecting 1.3 Million

Written by

The Danish government is under fire after an audit revealed that the personal identity numbers of over a fifth of the country’s population were leaked to US tech providers for five years.

The issue was discovered by the Agency for Development and Simplification (Udviklings-og Forenklingsstyrelsen) which maintains the country’s tax office IT systems.

It is linked to a software bug in the TastSelv Citizen portal used by taxpayers, which meant that ID (CPR) numbers appeared in the web address after a user updated their details.

This in turn meant that the numbers, as part of these URLs, were sent to analytics providers Google and Adobe. According to tech supplier DXC Technology, 1.26 million citizens were affected by this leak between 2015 and 2020, while a further 1330 were caught up in a smaller incident from January 29 to February 1 2020.

The government agency was quick to play down the seriousness of the incident, confirming that no other payroll, tax or personal data was included in the privacy snafu, and that the leaked CPR numbers were sent via an encrypted connection.

“This is an older software bug that has been fixed today. It is important to note that in both cases there is no risk that the information sent has been misused. In one case, the information has been deleted as an integral part of the recipient process, meaning it is neither logged in nor stored with Google,” said Andreas Berggreen, director of the Danish Development and Simplification Board.

“We take these kinds of cases very seriously, and of course we need to be able to make sure that our suppliers handle all data according to applicable law and within the framework agreed upon with them. We must note that this has not been the case here, and that is why we have asked the attorney general to assess what legal steps the case is giving to the supplier.”

The incident is nowhere near the scale of Scandinavian neighbor Sweden, which imperiled the top secret details of government officials after failing to mandate security clearance for outsourced transport agency staff in Serbia and the Czech Republic.

What’s hot on Infosecurity Magazine?