A software bug in Denmark’s tax service portal, TastSelv Borger, accidentally exposed 1.26 million Danish citizens CPR numbers to Google and Adobe analytics services for more than five years. The issue, which was discovered by the Danish Agency for Development and Simplification (Udviklings-og Forenklingsstyrelsen) during their audit activity, has affected one fifth of the total population of Denmark.
The TastSelv Borger tax service portal is managed by a U.S. company DXC technology. It is used by the Danish citizens to view and change their tax returns and annual statement, along with payment of residual taxes. While filing taxes, users are required to enter the CPR number, which is a ten-digit civil registration number assigned to all the people who reside in Denmark and acts as a unique identifier for every individual. Additionally, CPR number provides information of the citizen’s date of birth as the first six digits denote the same, whereas the last digit gives information on the gender of its owner (an odd number in the last digit indicates the owner is male and even number indicates the owner is a female).
The Three Instances of CPR Number Leaks
The Danish Agency for Development and Simplification found that the CPR numbers of its citizens were erroneously getting attached to a web address due to a software bug in DXC’s application, which was further shared with Google and Adobe for analytical purposes. Confirming the findings, DXC stated that there were three separate instances when the said CPR numbers were exposed:
- In the first instance, in a span of five years (February 2, 2015, to January 24, 2020) approximately 1.26 million CPR numbers were exposed.
- The second instance included the exposure of approximately 1,330 Danish citizens from January 29, 2020, to February 1, 2020.
- During an internal investigation into the first two instances of CPR number leaks, DXC itself encountered a third instance, where 4,735 citizens’ CPR numbers were sent from TastSelv Borger to another vendor company MaxCDN, between 2015 and 2016.
Additionally, DXC mentioned that although the citizens’ CPR numbers were exposed due to the bug, the chances of its abuse were next to nil as the data is sent through a secured and encrypted channel. DXC also clarified that no other personal data of Danish citizens such as payroll, tax details, etc. have been disclosed to IT providers.
Andreas Berggreen, director of the Danish Development and Simplification Board said, “This is an older software bug that has been fixed today (on February 7, 2020). It is important to note that in any of the reported cases there is no risk that the information sent has been misused. In fact, in one of the cases, the information has been deleted as an integral part of the recipient process, meaning it is neither logged in nor stored with Google.”