[runesoerensen]

This is ridiculous. It's not just Danish personal identification numbers, but ID numbers and health records for everyone who have lived in Denmark from 2010 through 2012.

Quick recap since it's in Danish: A danish health authority, SSI, accidentally mailed two CDs containing unencrypted CPR-numbers and health records for 5.28m residents to the Chinese Visa Application Office.

The Chinese delivered the letter to the intended recipient, Statistics Denmark, another danish government authority.

The bubble cushioned mailer containing the CDs had been opened, but regardless the issue of course is the extremely reckless handling of very sensitive information.

Edit: Article reporting on this in English http://www.thelocal.dk/20160720/five-million-danish-id-numbe...

Edit 2: The specification and structure of the data that was sent with these CDs. https://twitter.com/christianpanton/status/75574223004496691... (also in Danish, but this seems to include almost everything; the carelessness in handling this data appears to have been surpassed only by the extent and completeness of it)

[Svip]

Correction: SSI sent a letter containing two unencrypted CDs containing CPR-numbers and health records for 5.28 residents in Danish municipals between 2010 and 2012 to the Danish statistics agency (Statistics Denmark).

Post Danmark (postal service) accidentally delivered the letter to Chinese Visa Application Centre instead. When the employee responsible for receiving the letter noticed the mistake upon opening, the employee turned the letter with the two CDs to Statistics Denmark.

According to the employee's story, this was done immediately. And the investigation team says they have no reason to doubt the validity of her story.

To sum up: The investigation team believe that the Chinese Visa Application Centre never actually saw the contents on the CDs. SSI sent the data unencrypted, and the postal service delivered the letter to the wrong recipient.

Edit: Changed wording from blaming the postal service.

[mseebach]

That's the problem with blame culture. It needs to be someones (emphasis ONE) fault, and then anyone else can breathe a sigh of relief and move on.

It's blatantly irresponsible that SSI even has the infrastructure to burn CDs with this information on it (it needs to live in heavily secured, jealously guarded and scrupulously audited (ideally airgapped) computer system). If they absolutely need this capability, it's blatantly irresponsible to let such a CD out of the care of trusted employees -- and if they absolutely need to post it, they need to heavily encrypt it.

It's not meaningfully "the post service's fault".

[Svip]

I apologise, that summary was inaccurate. But parent's wording seemed to indicate that the SSI had sent the letter to the wrong recipient when that was not the case. I wanted to clear that up.

The problem is that SSI sent the data unencrypted.

[kwhitefoot]

The problem was that they sent it at all.

[ams6110]

I hate to tell you this but such information is widely emailed around as excel spreadsheet attachments by unthinking people. I would virtually guarantee it happens every day.

[SoreGums]

This is how the US debt collection system works according to an article I read a couple of years ago...

[digi_owl]

Likely the capability exits for when someone moves to another part of the country, and the local doctor wants to check the new patient's medical history.

Note also that the data was meant for what i assume is the national statistics office. Likely for investigating changes in danish public health over recent years.

Unless by airgapped you mean to build a separate, free standing, network just for delivering medical records to doctor's offices around the nation.

[mseebach]

First, this is not about doctors exchanging patients' medical histories, it's about two central government offices exchanging everybody's medical histories.

Second, the fact that security is (really!) hard is not a valid argument against doing it.

Third, there's a huge difference between the appropriate levels of security around individual patients' medical histories, a single doctors office worth of patients' data, and then the collective medical histories for every single patient in the nation.

[DanBC]

> Third, there's a huge difference between the appropriate levels of security around individual patients' medical histories, a single doctors office worth of patients' data, and then the collective medical histories for every single patient in the nation.

Hang on: If you're extracting an individual's medical data and putting that on a USB stick you better make sure it's encrypted, and that there are audit trails in place for who extracted the data, when, and why, and where they put it.

[walshemj]

Yes if its everyone's data you have a senior member of staff drive over and deliver it by hand Denmark isn't a very large.

[Lawtonfogle]

That it is hard isn't an excuse. That the customers don't pay for security is. And by pay I mean not only the paycheck but also funding and giving prestige and power to doing so. Government IT security is often seen as a necessary evil and most troubles stem from that view.

If you buy a cheap knockoff don't complain when it turns out to not be as good.

[peteretep]

https://en.m.wikipedia.org/wiki/N3_(NHS)

[throwanem]

How long does a modern machine need to copy off the contents of a couple of CDs? Were the discs in tamper-evident packages?

[Svip]

No long, I'd imagine. But again there is little to no way to figure out for sure whether the Chinese government has this information. The story really highlights the careless handling of data, because the chances of the Chinese government (or any other third part) getting access to these data is way too high.

[pilif]

> But again there is little to no way to figure out for sure whether the Chinese government has this information

assume they have it.

[seszett]

Let's assume they have it.

What kind of interest would you say the Chinese government has in the health records of a few million Danish residents? I don't know, maybe it's really important, but then maybe it's not that critical after all.

[peteretep]

Hi, nice to meet you Johan! Can I get you a drink? Oh, you're an electrician? That's nice, I sell light fixtures.

...

Good to see you again Johan! You'll never believe, I was down at XYZ Clinic yesterday, and they'd left your file out!! Careless right? How did you break it to your wife you had herpes? Oh, she didn't know?! Man, sorry I mentioned it, I'll keep that quiet for sure.

...

Man, it's been a hard month Johan. Sales are down! Hey, you told me you worked at the DaneSecure building right? Oh you didn't? Someone else must have told me that. But look, don't worry. I can keep secrets!! Look could you do me a favour? I need to know what kind of light fixtures they use at DaneSecure so I can pitch to them. Could you take a look and let me know? I'd like to know what kind they are, and specifically, how many are installed on Level 7. You know we're friends, because you know I can keep my mouth shut.

...

Johan, we have a problem!!! My boss said that because we're Chinese-owned, you telling me about the light-fittings in a classified area is technically passing on state secrets!!! You have a lawyer right? No?! OK, here's the plan, don't tell anybody, and we'll figure a way to keep us both out of jail!

...

Are you OK Johan? You look kind of pale. You haven't been worrying about this all week have you? Oh you have? OK well don't worry, I've got a solution. My boss has said he thinks he can stop our corporate lawyers reporting it, and we'll both be fine. There's a small catch favour he wants from us though. He needs to know the power consumption of the floor to help us tailor our pitch. Do you think you could plug this thing in to a light fixture for me? I think we're both going to be fine...

...

Johan, I have some bad news for you? Remember I said I sold light fixtures? Well that wasn't the whole truth...

[throwanem]

Probably none, but you don't stay a power in the modern world by turning up your nose at any kind of information that comes your way.

[adrianratnapala]

They use it can track the movements of Chinese residents abroad, to blackmail Danes who are assisting Chinese disidents, run scams at doctors offices or insurers in order to get documentation for spies. I am sure there is more, I am no expert in this sort of thing.

[ben_jones]

Executive blackmail I imagine. You're a Chinese billionaire with connections to the government, you are in the midst of a deal with a large Danish corporation, you email you're government contacts for the medical records of all the executives of that company. You find out one is an alcoholic, one has recently contracted herpes (and his wife hasn't), and so forth.

[Jach]

Assume they had it already.

[rasz_pl]

Was postman of Chinese descent?

[busterarm]

Virtually all spy agencies recruit foreign nationals to do their dirty work.

Also your question has a 1 in 5 chance of the answer being "Yes".

[OJFord]

    > Also your question has a 1 in 5 chance of the answer being "Yes".

Assuming a uniform distribution of postman nationality. If we go by the CS literature, postmen seem always to be Chinese. :)

[zht]

why does it matter?

[flexie]

Just to give some perspective: These are the confidential ID numbers and health records, including for example psychiatric information, of more than 90 percent of the Danish population.

It's not legal, but many organisations still trust you are, who you say you are, if you provide name and the ID number. You can still call some banks in Denmark and get information on the account balance if you state name, account number and the ID number. Same with the tax authorities and some public authorities.

The health records are likely to include information that can be used to blackmail our politicians, business people etc. since just about everybody in Denmark uses the public health care system.

[bertil]

Are ID numbers confidential in Denmark? They (personnumer) seem fairly widely shared in Sweden and Finland.

[flexie]

They are confidential in Denmark, or rather they were supposed to be.

[driax]

They aren't confidential, at least not more than your full name. It's a common myth, probably stemming from the fact that there's plenty of laws about how to treat information that can be used to identify people. But those laws pretty much also applies if you just a have list of peoples full name.

Edit: Reading through the law, they are more confidential than your full name, though not by much. Generally you can't publish them publicly. And usage within companies and the state are regulated, but fairly permissive. Datatilsynet has explicitly said that they shouldn't be used to identity that a person is who they say they are, and only should be used as a primary key to differentiate people.

[slau]

Considering everyone and their cousin has your CPR number over here, I fail to see how it could be seen as confidential. My landlord has my CPR, my company has my CPR, my network operator has my CPR, and my language school has my CPR.

Not knowing my CPR has never been a problem, but knowing it has never been an advantage. It's a unique ID as a citizen, but that's as far as it goes.

Every time I call my bank, I have to give the amount of cash available on my account for them to "authenticate" me, or tell them when was the last time I logged on to the website.

[kwhitefoot]

They used to be regarded as confidential here in Norway but that has been rather de-emphasised in recent years. But you won't get anywhere asking for information from a bank if you only have the account and personnummer because all the banks here require two factor authentication, as far as I know.

[Freak_NL]

This happens more than you think, although not usually at this scale and this high up in the chain. When a care institution needs to communicate with one of their vendors handling health records about a problem with a specific person's record, most IT-workers at those institutions tend to just mail all details they feel are relevant to the issue without even considering encryption or the necessity of sending all that data over the wire.

The use of physical post here was probably a good thing all things considered! They could just as easy have used WeTransfer or some other cloud solution — when it comes to security best practices people are very good at downplaying the potential risk, even when legislation does acknowledge it and forbids such treatment of sensitive personal information.

[danielweber]

> most IT-workers at those institutions tend to just mail all details they feel are relevant to the issue

Not necessarily disbelieving you, but why do you say this? Every place I've worked or contracted at with PII, I've had to sit through training about not doing this, and management provided tools for proper handling.

I don't mean to say that because there are policies that no one ever breaks them. I've also encountered places where what was encouraged on the ground was different than what was listed in policy.

[Freak_NL]

I work for a SaaS vendor of health care record software. From what I have seen care institutions (as opposed to hospitals) do not have the experience or staff in-house to facilitate proper security procedures. The problem as I see it lies not in the routine operations that have a high degree of visibility in the organisation and tend to have strict policies surrounding them because they are anticipated, but in the exceptions, such as key users or the IT support responsible for the service they use reporting issues to the vendor.

[silvestrov]

> 5.28m residents

Denmark has a population of 5.7m residents, so this is almost all Danes.

[return0]

That's like the entire Danish population. Also, who sends CDs these days?

[sctb]

Thanks, we updated the link from https://www.datatilsynet.dk/afgoerelser/afgoerelsen/artikel/....

[tixzdk]

And the letter, which was sent as priority mail, had been opened when they went to retrieve it...

[hooph00p]

Now they must assume that information is compromised and take action.

[danielweber]

Which is what? Give every Dane a new health record?

[OJFord]

I read that to mean _legal_ action.

IANAL, and can't profess to any knowledge whatsoever of Danish law, but opening a package clearly addressed to someone else without permission may be reasonable grounds for litigation.

Though to the question "what good will that do", you're right, it's not like new health records can be issued.

Depending on the details of what was shared and what ties them to an individual though, I suppose it might be possible to issue new IDs.

[erk__]

They wrote that they do not belive that there was a compromise of the data.

[microtonal]

So? An unencrypted CD was accessible for a time period to a third party. It's good security practice to consider the data to be compromised. Especially a powerful, malicious actor will put in effort to make it appear that this is not the case.

If anything, this requires a severe audit of the security practices of the affected organisations. Moreover, I think citizens of Denmark are entitled to know what information about their personal health records is leaked.