Danish Government Tax Portal Exposes 1.26 Million Citizens’ Information to Two US Analytics Firm

• The bug was located on the e-tax portal where Danish citizens go to file and pay taxes online.
• The data most likely resides only with the two analytics companies—Adobe and Google.

The Denmark government inadvertently exposed the personal information of over a million Danish citizens through its online tax portal.

What happened?

A software bug in the TastSelv, Denmark’s e-tax portal, has exposed personal identification (CPR) number of 1.26 million citizens—a fifth of the country's total population.

• The vulnerability existed for five years before UFST, an agency that maintains the country’s tax office IT systems, reported it.
• The bug was residing in the e-tax portal where Danish citizens go to file and pay taxes online.

CPR numbers are important and mandatory in Denmark if someone wants to open a bank account, or own a phone number, and for other basic operations.

Bug in action

CPR numbers are ten digits code that contains a citizen's personal information including birth date, gender, etc.

• The bug on the tax portal would add the CPR number of the users to the URL every time they update account details from the portal's settings section.
• The analytics services, in this case, Adobe and Google, would then unknowingly collect such data as a part of their service.

The later story

UFST has urged citizens to keep calm as there was no immediate danger of fraud to those affected. The data most likely resides only with the two analytics companies.

The firm that built the self-service portal has fixed the bug after authorities reported about the bug. However, some local privacy experts have requested an in-depth audit of the tax agency's portal source code, which includes the fear of other glaring errors on it.