#Privacy: Software error exposes personal ID numbers for 1.26m Danish citizens

The personal identification (CPR) numbers for 1.26 million Danish citizens has been accidentally exposed following a software error in Denmark’s government tax portal. 

The error and subsequently leak was discovered by the Danish Agency for Development and Simplification (UFST) following an audit. 

According to the UFST, the error, which occurred on the Danish tax administration’s official self-service portal carried out by DXC Technology, had caused CPR numbers to become part of a web address sent to Google and Adobe respectively. 

The error lasted five years, between February 2, 2015 and January 24, 2020, and impacted a fifth of the Danish population. 

Despite the exposure, the UFST has stated there has been no risk of any abuse as the data was never publicly available.

No other personal data such as payroll has been disclosed to IT providers. 

“This is an older software bug that has been fixed today. It is important to note that in both cases there is no risk that the information sent encrypted has been misused. In one case, the information has been deleted as an integral part of the recipient process, meaning it is neither logged in nor stored with Google. that one’s information can be misused,” says Andreas Berggreen, Director of the Danish Development and Simplification Board.

The error has since been fixed. The exposure has also been reported to Data Inspectorate. 

The UFST has asked the Chamber of Commerce to assess and investigate whether the software failure provides a basis for a claim against IT provider DXC. 

“We take these kinds of cases very seriously. And of course we need to be able to make sure that our suppliers handle all data according to applicable law and within the framework agreed upon with them. We must note that this has not been the case here, and that is why we have asked the Attorney General to assess what legal steps the case is giving to the supplier, ”says Andreas Berggreen.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.