Image: David Dvořáček

A software error in the Danish tax portal has accidentally revealed the personal identification (CPR) figures for 1.26 million Danish citizens, one fifth of the country’s total population.

The error lasted five years (between February 2, 2015 and January 24, 2020) before it was discovered, Danish media reported last week.

The software error and the subsequent leak were discovered after an audit by the Danish Agency for Development and Simplification (Udviklings-og Forenklingsstyrelsen or UFST).

According to UFST, the error occurred on TastSelv Borger, the official self-service portal of the Danish tax authorities, where Danish citizens file a tax return online and pay taxes.

Government officials said the portal contained a software error that every time a user updated account information in the Settings section of the portal, their CPR number would be added to the URL.

The URL is then collected by analysis services running on the site – in this case, Adobe and Google.

According to UFST, details for more than 1.2 million Danish taxpayers were exposed to this bug and were accidentally collected by the analysis providers.

CPR numbers are important in Denmark. They are required for opening bank accounts, obtaining telephone numbers and many other basic operations.

CPR numbers also leak details about a user. They consist of ten digits, the first six being the date of birth of a citizen. They also leak details about the gender of an owner (if the last digit is odd, the owner is male, if the last digit is even, the owner is a woman).

Despite the relatively large and ominous data leak, UFST, the agency that discovered the leak, urged the citizens to calm down because the data were most likely only collected by the two analysis companies and there was no direct risk of fraud for those affected.

But despite the call to calm down, various local privacy experts have also called for a broader audit of the tax code’s source code, for fear of other fierce mistakes.

DXC (formerly CSC), the software company that built the self-service portal, said they had resolved the bug after authorities reported the issue.

Denmark is the third Scandinavian government that has experienced a security incident in recent years. In 2015, the Swedish Transport Agency (STA) allowed several sensitive databases to be uploaded to the cloud and accessible to inexperienced Serbian IT professionals. In 2018, a hacker group stole healthcare data for more than half of the Norwegian population.