The Danish Agency for Development and Simplification has discovered the data leak that involved the TastSelv Borger tax service, managed by the US company DXC Technology.
The TastSelv service allows anyone with a tax liability to Denmark to view and change their tax return, annual statement and pay residual tax.
The data which includes CPR numbers, were exposed for almost five years before the data leak was discovered.
According to the government agency, the data was encrypted and so Google and Adobe were not able to see the CPR numbers.
The news of the data leak was first reported by DR News website and they were told by Google that Google Hosted Libraries were designed to remove all information that allows identifying users before logging on. Thus, no user information is shared with Google in this process.
Peter Kruse, cyber security expert and founder of the CSIS group, said that Google had access to 1.2 million Danes’ CPR numbers because they were not encrypted.
The Danish Agency for Development and Simplification attempted to lessen the incident and confirmed that CPR numbers have been encrypted.
It was reported that the issue was triggered when the users logged on to Tastselv Borger and clicked on ‘Correct contact information’.
After correcting the contact information, an error in the application caused CPR numbers to be sent to Google and Adobe as part of a web address.
The company has acknowledged the vulnerability and addressed it. They stated that they have reviewed it and the data were not found to be compromised. They are continuing their investigation regarding the issue and working with the Development and Simplification Agency,
The Development and Simplification Board had asked the Attorney General to investigate the incident to clarify the responsibility of DXC Technology.