from Hacker News

Five million Danish ID numbers sent to Chinese firm by mistake

by mbanzon on 7/20/16, 12:21 PM with 79 comments

  • by runesoerensen on 7/20/16, 12:40 PM

    This is ridiculous. It's not just Danish personal identification numbers, but ID numbers and health records for everyone who have lived in Denmark from 2010 through 2012.

    Quick recap since it's in Danish: A danish health authority, SSI, accidentally mailed two CDs containing unencrypted CPR-numbers and health records for 5.28m residents to the Chinese Visa Application Office.

    The Chinese delivered the letter to the intended recipient, Statistics Denmark, another danish government authority.

    The bubble cushioned mailer containing the CDs had been opened, but regardless the issue of course is the extremely reckless handling of very sensitive information.

    Edit: Article reporting on this in English http://www.thelocal.dk/20160720/five-million-danish-id-numbe...

    Edit 2: The specification and structure of the data that was sent with these CDs. https://twitter.com/christianpanton/status/75574223004496691... (also in Danish, but this seems to include almost everything; the carelessness in handling this data appears to have been surpassed only by the extent and completeness of it)

  • by mads on 7/20/16, 2:52 PM

    As a Danish person living in China, I don't know how to feel about this.

    In some weird way, I think it was a good thing this got delivered to the China visa office and not next door to them, in which case we would probably never have heard about this mistake and for sure it wouldn't be top post here. There is a good headline to be found in this story, as I have just discovered when browsing the Danish news.

    If this information is handled so recklessly and so nonchalant, it makes me wonder what other people within Denmark also have access to this information. Students, secretaries, interns? Can I register as a scientist and get access? Who exactly has access to my information? I would like to know the answer to this question.

    I know that visa office and have been there many times. It is not a Chinese government run operation but a private company handling the incoming paper work for visa applications, which get submitted for review at the Chinese run Chinese embassy :P

  • by ksk on 7/20/16, 3:36 PM

    I wonder if this would have been a story if a country other than China was involved. Of course, the information was carelessly handled but then again worse things have happened.. like sending a missile to the wrong address. The bias in the article is interesting, with the author of the article putting the words 'by mistake' in quotes to signal that the mere act of opening the package is suspicious. Over the years I have blindly opened plenty of mailed packages only to realize that it was actually addressed to someone else.

  • by pbhjpbhj on 7/20/16, 2:33 PM

    The story from the Chinese Visa Application Office (CVAO) is that an employee opened the letter "by mistake":

    >"It said that it was contacted by an employee of the Chinese Visa Application Centre who said she opened the letter addressed to Statistics Denmark “by mistake” but then delivered the package to the statistics agency." (TheLocal, linked above, http://www.thelocal.dk/20160720/five-million-danish-id-numbe...). //

    Having worked as a civil servant I find this unlikely if it were properly addressed. In the office I worked at all mail came in via a mail room who checked and registered it and directed it to relevant personnel.

    Presumably the CVAO receive a lot of mail, they must have a dedicated system for recording [because we're talking about legal documents and receipt dates therefore are important to record] and directing that mail. So a piece of mail comes in for "Statistics Denmark", now what happens?

    What I'd expect is it's sent to a mail-room manager to handle. They can then either redirect the mail unopened or forward it to some other personnel. I really can't see them just opening things "by accident" at all. They have a choice to honestly redirect unopened or to actually open it. Now, the opening may have been an individual's simple curiosity, for sure.

    Interested in any other analysis particularly with reference to how mail receipt is handled in other country's civil service locations. I expect things have moved on somewhat, something like 'tag with barcode, photograph and the computer records the article' is probably the current workflow?

  • by sidek on 7/20/16, 4:04 PM

    Worse, at least according to Google Maps, it is only a 17 minute drive or 28 minute bus ride between Statistics Denmark and the Serum Institute.

    At such a small distance, if such large amounts of confidential information must be delivered, I feel that it ought to be hand-delivered.

  • by plesner on 7/20/16, 4:18 PM

    These things keep happening in Denmark but the thing is, very few people actually care here. Avoiding mistakes of this caliber isn't rocket science but it does take a little effort and awareness and as long as nobody cares there is no motivation to make that effort.

    In that sense this is just giving people what they're asking for. They're not asking for security so they're not getting it.

  • by Symbiote on 7/20/16, 12:58 PM

    Google Translate gives me, "Data Protection Agency takes no further action".

    Is that true? No-one is fined or prosecuted for this? Or even sacked?

  • by danielweber on 7/20/16, 1:07 PM

    To save other people the google search, population of Denmark is 5.6 million.

  • by rascul on 7/20/16, 1:28 PM

  • by 1337biz on 7/20/16, 10:54 PM

    Just came here to ask what do you guys' think about centralized health care records?

    It seems impossible to prevent these kinds of "stupid" mistakes from happening.

    My doctor still works mostly on a paper based system, so in the worst kind of situation just his patients data are lost.

    Are there any alternatives that prevent those kinds of leaks - esp. considering that even the NSA got out-Snowdened.

  • by Zekio on 7/20/16, 3:31 PM

    The Danish personal identification numbers are useless for identifying someone since we pretty much give them out to anyone who asks for it, and they can be calculated using some methods, which have been done to some politicians just to show the flaws in the system behind them.

  • by neximo64 on 7/20/16, 3:28 PM

    Absolute incompetence.

  • by Angostura on 7/20/16, 1:50 PM

    So, to summarise - burning it to CD is actually fine, but they should have used an in-house courier.

  • by ben_jones on 7/20/16, 8:04 PM

    Disclaimer: I 100% believe in the idiom "don't attribute to malice what could equally be caused by ignorance".

    But I think all those involved should have permanent monitoring on their bank accounts and living status incase a suspiciously large wire were to come from a Chinese entity. This is happening way to often not to become a source of plausible deniability to future criminals. "It was an accident officer I swear!". Sympathies to all those effected by this incident.