A software error in Denmark’s government tax portal has accidentally exposed the personal identification (CPR) numbers for 1.26 million Danish citizens, a fifth of the country’s total population.
The error lasted for five years (between February 2, 2015, and January 24, 2020) before it was discovered, Danish media reported last week.
The software error and the subsequent leak was discovered following an audit by the Danish Agency for Development and Simplification (Udviklings-og Forenklingsstyrelsen, or UFST).
Government officials said the portal contained a software bug that every time a user updated account details in the portal’s settings section, their CPR number would be added to the URL.
The URL would then be collected by analytics services running on the site — in this case, Adobe and Google.
According to the UFST, details for more than 1.2 million Danish tax-payers were exposed by this bug and were inadvertently collected by the analytics providers.
CPR numbers are important in Denmark. They are mandatory for opening bank accounts, getting phone numbers, and many other basic operations.
CPR numbers also leak details about a user. They consist of ten digits, where the first six are a citizen’s birth date. They also leak details about an owner’s gender (if the last digit is odd, the owner is male, if the last digit is even, then the owner is a female).
Denmark is the third Scandinavian government to suffer a security incident in the last few years. In 2015, the Swedish Transport Agency (STA) allowed several sensitive databases to be uploaded to the cloud and accessed by unvetted Serbian IT professionals. In 2018, a hacker group stole healthcare data for more than half of Norway’s population.