Software error exposes the ID numbers for 1.26 million Danish citizens

Danish tax portal accidentally shares tax payer identification numbers with Google and Adobe analytics services.

Denmark flag

Image: David Dvořáček

A software error in Denmark's government tax portal has accidentally exposed the personal identification (CPR) numbers for 1.26 million Danish citizens, a fifth of the country's total population.

The error lasted for five years (between February 2, 2015, and January 24, 2020) before it was discovered, Danish media reported last week.

The software error and the subsequent leak was discovered following an audit by the Danish Agency for Development and Simplification (Udviklings-og Forenklingsstyrelsen, or UFST).

According to the UFST, the error occurred on TastSelv Borger, the Danish tax administration's official self-service portal where Danish citizens go to file and pay taxes online.

Government officials said the portal contained a software bug that every time a user updated account details in the portal's settings section, their CPR number would be added to the URL.

The URL would then be collected by analytics services running on the site -- in this case, Adobe and Google.

According to the UFST, details for more than 1.2 million Danish tax-payers were exposed by this bug and were inadvertently collected by the analytics providers.

CPR numbers are important in Denmark. They are mandatory for opening bank accounts, getting phone numbers, and many other basic operations.

CPR numbers also leak details about a user. They consist of ten digits, where the first six are a citizen's birth date. They also leak details about an owner's gender (if the last digit is odd, the owner is male, if the last digit is even, then the owner is a female).

However, despite the pretty large and ominous data leak, UFST, the agency which uncovered the leak, urged citizens to calm, as the data was most likely collected by the two analytics companies only, and there was no immediate danger of fraud to those affected.

But despite the call to calm, several local privacy experts have also called for a broader audit of the tax agency's portal source code, fearing other glaring errors.

DXC (formerly CSC), the software company who built the self-service portal, said they fixed the bug after authorities reported the issue.

Denmark is the third Scandinavian government to suffer a security incident in the last few years. In 2015, the Swedish Transport Agency (STA) allowed several sensitive databases to be uploaded to the cloud and accessed by unvetted Serbian IT professionals. In 2018, a hacker group stole healthcare data for more than half of Norway's population.