Pierluigi Paganini February 10, 2020

A glitch in the TastSelv Borger tax service has sent over one million Danish CPR numbers to the US companies Google and Adobe.

The Danish Agency for Development and Simplification has discovered the data leak that involved the TastSelv Borger service, which is managed by the US company DXC Technology.

The TastSelv service allows everyone with a tax liability to Denmark to view and change his tax return, annual statement and pay residual tax. 

Data, including CPR numbers, have been exposed for almost five years before the data leak was discovered.

“We take this kind of case very seriously. And of course we need to be able to make sure that our suppliers handle all data according to applicable law and within the framework agreed upon with them.” states the Government Agency.

The good news is that according to the Agency, data was encrypted, it also added that Google and Adobe were not able to see the CPR numbers.

“Google Hosted Libraries have been designed to remove all information that allows identifying users before logging on. Thus, no user information is shared with Google in this process.” Google told the DR News website that first reported the news of the data leak.

Peter Kruse, cyber security expert and founder of the CSIS group, explained that Google had access to 1.2 million Danes’ CPR numbers because they were in plain text.

“The data received by Google is unencrypted. Google has been able to read data in unencrypted form, he estimates.” explained Kruse.

“Google has accessed 1.2 million Danes’ CPR numbers.“

The Danish Agency for Development and Simplification attempted to downplay the incident and confirmed that CPR numbers have been encrypted.

DR news website reported that the issue was triggered when logged on users to Tastselv Borger clicked on ‘Correct contact information’.

Once the users have corrected their contact information, an error in the application caused CPR numbers being sent to Google and Adobe as part of a web address. 

DXC has acknowledged the vulnerability and addressed it and confirmed that was not compromised.

“Together with the Development and Simplification Agency, we have addressed potential vulnerabilities. Based on our immediate review, we currently have no reason to believe that data has been compromised. We are continuing to investigate the matter in close cooperation with the Development and Simplification Board.” said DXC.

In 2014, the company CSC (now DXC) was involved in a similar incident that exposed 900,000 CPR numbers.

The Development and Simplification Board has now asked the Attorney General to investigate the incident to clarify the responsibility of DXC Technology.

Pierluigi Paganini

(SecurityAffairs – Data leak, CPR numbers)

[adrotate banner=”5″]

[adrotate banner=”13″]