CPR numbers have been logged after using NemLog-in in connection with submitting online applications to the Danish Immigration Service and SIRI via Newtodenmark.dk. The log files with CPR numbers have been publicly available at a specific web address.
Course of events
The Danish Immigration Service and SIRI have confirmed a personal data breach in connection with submission of online applications on Newtodenmark.dk via NemLog-in. The agencies hereby communicate the personal data breach to the affected persons.
The breach was stopped on 13 September 2021 by the agencies’ data processor. The agencies have notified the Danish Data Protection Agency of the personal data breach on 16 September 2021.
On 14 September 2021 the data processor made the agencies aware that between the period of 2 April 2019 to 13 September 2021, CPR numbers of applicants, who submitted an online application on Newtodenmark.dk via NemLog-in, were logged.
The logging has taken place because of a human error at the agencies’ data processor and sub-processor. The personal data breach occurred when a systems log used in a test environment was not disabled in connection with the system being moved back to the production environment.
It has not been possible to clarify whether unauthorized third parties have accessed the files, as there was no logging of data showing whether the files have been accessed. It is noted, however, that the log files have been continuously removed at an interval of between 20 minutes and 2 hours. This means that access to specific CPR numbers has only been possible in this period of time.
Stopping the personal data breach
The agencies have stopped the personal data breach and have made sure the files in question have been removed and deleted.
Guidelines for future task management have been tightened, and additional technical measures have been introduced to avoid similar incidents in future.
Finally, the agencies and the agencies’ data processor review the solutions in order to assess which further measures should be implemented.
Who was affected?
Persons who have used the agencies’ online application forms since April 2019 are part of the personal data breach, if they have used NemLog-in in connection with the submission of their application.
The persons’ CPR numbers are a part of the personal data breach. There has been no access to other personal information at the same time, e.g. name or address connected to the CPR numbers.
What does this mean for you?
The Danish Immigration Service and SIRI assess that there is a risk that unauthorized third parties could have gained access to your CPR number if you have used our online application forms via NemLogin. Please note, as mentioned above, that the log files have been continuously removed at an interval of between 20 minutes and 2 hours, and that this means that access to specific CPR numbers has only been possible in this period of time.
A possible consequence of unauthorized access to a CPR number is the loss of confidentiality about the CPR number itself, and that this could lead to attempts at identity theft or misuse.
What should you do?
The personal data breach has been stopped, and you do not need to take any action.
What additional measures could you consider?
If you wish, you can set up a credit warning in connection with your CPR number.
A credit warning is a mark in the CPR register that makes it possible for you to warn against loans and credit being granted in your name.
A credit warning may be relevant if you fear that your CPR number may or will be used in connection with identity misuse.
You can read more about credit warning, including how to mark it in the CPR register, on www.borger.dk.
At www.sikkerdigital.dk you can find more information about identity theft, including to protect yourself from it and how to get help if you are a victim of it.
You can also call the Agency for Digitisation’s hotline, which is open 24 hours a day all year round, if you discover or suspect that your personal information has been stolen. The number to the hotline is: 33 98 00 98.
The Danish Immigration Service and the Danish Agency for International Recruitment and Integration (SIRI) strongly regret the incident.
If you have any questions, you can contact one of the agencies’ Data Protection Officers via our contact forms or via mail.
Contact information for the Data Protection officer in SIRI: Contact form for the Danish Agency for International Recruitment and Integration or dpo@siri.dk.
Contact information for the Data Protection Officer in the Danish Immigration Service: Contact form for The Danish Immigration Service, eller dpo@us.dk.