Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Your Rights Online

Software Error Exposes the ID Numbers For 1.26 Million Danish Citizens (zdnet.com) 30

A software error in Denmark's government tax portal has accidentally exposed the personal identification (CPR) numbers for 1.26 million Danish citizens, a fifth of the country's total population. From a report: The error lasted for five years (between February 2, 2015, and January 24, 2020) before it was discovered, Danish media reported last week. The software error and the subsequent leak was discovered following an audit by the Danish Agency for Development and Simplification (Udviklings-og Forenklingsstyrelsen, or UFST). According to the UFST, the error occurred on TastSelv Borger, the Danish tax administration's official self-service portal where Danish citizens go to file and pay taxes online. Government officials said the portal contained a software bug that every time a user updated account details in the portal's settings section, their CPR number would be added to the URL.
This discussion has been archived. No new comments can be posted.

Software Error Exposes the ID Numbers For 1.26 Million Danish Citizens

Comments Filter:
  • BAH! Pikers.

    The Likud election app leaked the information of all registered Isreali voters. [timesofisrael.com]

    Makes the Iowa Democratic committee look competent.
  • Jesusfuckingchrist. It's everyday now, isn't it? Is anyone ever going to go to fucking jail for this bullshit, or are we just supposed to bend over and take it up the ass?
  • Nope, that's not an error, that's a design flaw.

    Also: Information wants to be FREE!! However, your taxes -- not so much.
    • by afidel ( 530433 )

      Came here to make the same comment, the code likely did exactly what was specified, it was the specification that was incorrect.

  • by ZorinLynx ( 31751 ) on Monday February 10, 2020 @05:36PM (#59713468) Homepage

    Time to stop using extremely-difficult-to-change personal ID numbers that must be kept secret? It's the same deal with social security numbers in the US; you have this nine digit number for your ENTIRE LIFE that's nearly impossible to change but has to be kept secret because someone thought it would be a good idea to use it as, effectively, a password to access people's credit lines.

    • by skoskav ( 1551805 ) on Monday February 10, 2020 @05:57PM (#59713570)

      The personal ID numbers in Denmark (and other Nordic countries) are neither secrets nor used as passwords. They're effectively publicly available usernames, and the government requires sites to use approved eID authentication methods.

      The issue mentioned by the article and original source is that the ID numbers were visible in the URL, which made those usernames inadvertently collected by analytics scripts from Google and Adobe, which is a privacy no-no.

      • by amorsen ( 7485 )

        The personal ID numbers in Denmark (and other Nordic countries) are neither secrets nor used as passwords.

        This is the theory, but reality is different. Many Danish government offices accept the personal ID number at authentication if you call them on the phone and sound convincingly local.

        Also, Danish ID numbers inadvertently encode information such as approximately where you were born, immigration status, adoption status, gender/gender change. Making them public is not a good idea.

        They need to be scrapped and replaced by a new opaque ID with a publicly available database to look up the ID for everyone.

      • Comment removed based on user account deletion
    • Yeah it's the using it as a password part that's the problem, not having the ID part.

    • by Kjella ( 173770 )

      Time to stop using extremely-difficult-to-change personal ID numbers that must be kept secret? It's the same deal with social security numbers in the US; you have this nine digit number for your ENTIRE LIFE that's nearly impossible to change but has to be kept secret because someone thought it would be a good idea to use it as, effectively, a password to access people's credit lines.

      Yes, they should give up the "secret" part. Here it Norway most things are tied to your "person number", it's 11 digits and starts with DDMMYY + 3 for uniqueness + 2 control digits. One of them tells my sex too so realistically there's only 500 possibilities once you know my DOB. But that alone is almost useless, for all things electronic they want a 2FA signature with BankID (cell phone or key fob), in real life you need a driver's license or passport. And if you lose all of that and have had a passport be

      • by AK Marc ( 707885 )
        Sounds like the system for registration at college. Mt freshman year was my sister's senior year. The system is "secure". They quiz you on name, DOB and SSN. With an almost photographic memory, I remember my sister's SSN. Of course I know her DOB and name. I could add or drop any class of hers. Dial into the automated system, enter her SSN, verify with DOB, and boom, full access. Of course, since SSN was the "student ID", get any official paperwork or ID card from anyone, and with their birthday, whi
    • by Calydor ( 739835 )

      We actually use it more as a username (literally, in some cases) than a password. It's not a GOOD idea to just share it willy-nilly, but the first six digits are your birthday and year, so it's hardly a totally secret code.

    • I have never understood this US SSN bullshit. It has to be kept secret, but you give it out to your local Kwikâ(TM)eâ(TM)Mart for a temp job and hope it does not leak from their âoedatabaseâ?

      • Actually, it was never intended to be secret. The issue is that it ended up being used in ways never intended. Some of those ways provided opportunities for abuse and mischief. So it became prudent to keep it as secret as possible.

    • Technically, you're not supposed to use SSN as an ID number in the US, either. But lots of companies do anyway.
  • by Henriok ( 6762 )
    I donâ(TM)t know how it is in Denmark but in Sweden the personal ID number isnâ(TM)t a secret. You can easily look up any (not under a protective identity programme) Swedish residentâ(TM)s number. Itâ(TM)s an ID not an authorization code. Itâ(TM)s given automatically to citizens at birth and to foreigners with residents permit. All formalized organizations and corporations has a very similar code too, and all this is very public and must be so for it to be useful. And we do find it
    • by Zumbs ( 1241138 )
      It should be like that in Denmark. But in many cases, using a personal ID number will be deemed sufficient to verify that you are the person with that ID. This means that it is useful for things like identity theft. Yes, the entity accepting the ID as sufficient may be liable for any loss, but you still need to fight them to get off the hook.
  • I might be splitting hairs, but this is a design flaw, not a bug or error.

    I only feel it important to make the distinction, because somebody should be held accountable. Not for punishment, just for transperancy. Every mistake or oversite is an opportunity to learn, and calling it something different than it is doesn't do much in maintaining trust etc.

  • So we've been hearing constantly that this type of thing absolutely cannot happen in the EU, due to the GDPR.

    Ok...
    • GDPR is making sure non consensual processing of personal information can be procecuted, and it is working.

      I'm not sure how you would expect a law to guarantee this type of thing absolutely cannot happen. I mean that's not how laws work

      If you're asking why this was happening, it's probably because some developers from the vendor DXC Technology was not aware that inserting personal information directly in URLs is a very bad idea, even though you would suppose this is on page 1 in any book on privacy and web

  • Why can a website run by the Danish government, and every citizen is almost forced to use, embed anything offsite stuff? It leaks information and makes a vital website dependent on a foreign company keeps their service running. Public websites most run without use anything hosted by others.
  • that can be caught in a proper design review. Using HTTP semantics properly.

  • 1,260,001 - 5,603,000

  • It's not the first time they have been "leaked". Let's not forget the hacked database of drivers licenses(also maintained by the same company iirc). Then there was the medical institution that sent the ID along with medical information on a CD-ROM to the Chinese Embassy by "accident". They, of course, returned it without copying it.
    Yes, our governmental institutions can't be trusted with personal information.

  • .. the portal contained a software bug that every time a user updated account details in the portal's settings section, their CPR number would be added to the URL.”

    Demonstrating the perils of outsourcing your software to the lowest cost bidder who outsources it to some intern in India.
  • If the IRS can audit you because you're in the tea party they can come after you for any reason.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...