[BreachExchange] 1.2 million CPR numbers for Danish citizen leaked through tax service

[Destry Winant]

https://securityaffairs.co/wordpress/97571/data-breach/1-2m-cpr-numbers-leak.html

A glitch in the TastSelv Borger tax service has sent over one million
Danish CPR numbers to the US companies Google and Adobe.

The Danish Agency for Development and Simplification has discovered
the data leak that involved the TastSelv Borger service, which is
managed by the US company DXC Technology.

The TastSelv service allows everyone with a tax liability to Denmark
to view and change his tax return, annual statement and pay residual
tax.

Data, including CPR numbers, have been exposed for almost five years
before the data leak was discovered.

“We take this kind of case very seriously. And of course we need to be
able to make sure that our suppliers handle all data according to
applicable law and within the framework agreed upon with them.” states
the Government Agency.

The good news is that according to the Agency, data was encrypted, it
also added that Google and Adobe were not able to see the CPR numbers.

“Google Hosted Libraries have been designed to remove all information
that allows identifying users before logging on. Thus, no user
information is shared with Google in this process.” Google told the DR
News website that first reported the news of the data leak.

Peter Kruse, cyber security expert and founder of the CSIS group,
explained that Google had access to 1.2 million Danes’ CPR numbers
because they were in plain text.

“The data received by Google is unencrypted. Google has been able to
read data in unencrypted form, he estimates.” explained Kruse.

“Google has accessed 1.2 million Danes’ CPR numbers.“

The Danish Agency for Development and Simplification attempted to
downplay the incident and confirmed that CPR numbers have been
encrypted.

DR news website reported that the issue was triggered when logged on
users to Tastselv Borger clicked on ‘Correct contact information’.

Once the users have corrected their contact information, an error in
the application caused CPR numbers being sent to Google and Adobe as
part of a web address.

DXC has acknowledged the vulnerability and addressed it and confirmed
that was not compromised.

“Together with the Development and Simplification Agency, we have
addressed potential vulnerabilities. Based on our immediate review, we
currently have no reason to believe that data has been compromised. We
are continuing to investigate the matter in close cooperation with the
Development and Simplification Board.” said DXC.

In 2014, the company CSC (now DXC) was involved in a similar incident
that exposed 900,000 CPR numbers.

The Development and Simplification Board has now asked the Attorney
General to investigate the incident to clarify the responsibility of
DXC Technology.