This is ridiculous. It's not just Danish personal identification numbers, but ID numbers and health records for everyone who have lived in Denmark from 2010 through 2012.
Quick recap since it's in Danish: A danish health authority, SSI, accidentally mailed two CDs containing unencrypted CPR-numbers and health records for 5.28m residents to the Chinese Visa Application Office.
The Chinese delivered the letter to the intended recipient, Statistics Denmark, another danish government authority.
The bubble cushioned mailer containing the CDs had been opened, but regardless the issue of course is the extremely reckless handling of very sensitive information.
Edit 2: The specification and structure of the data that was sent with these CDs. https://twitter.com/christianpanton/status/75574223004496691... (also in Danish, but this seems to include almost everything; the carelessness in handling this data appears to have been surpassed only by the extent and completeness of it)
Correction: SSI sent a letter containing two unencrypted CDs containing CPR-numbers and health records for 5.28 residents in Danish municipals between 2010 and 2012 to the Danish statistics agency (Statistics Denmark).
Post Danmark (postal service) accidentally delivered the letter to Chinese Visa Application Centre instead. When the employee responsible for receiving the letter noticed the mistake upon opening, the employee turned the letter with the two CDs to Statistics Denmark.
According to the employee's story, this was done immediately. And the investigation team says they have no reason to doubt the validity of her story.
To sum up: The investigation team believe that the Chinese Visa Application Centre never actually saw the contents on the CDs. SSI sent the data unencrypted, and the postal service delivered the letter to the wrong recipient.
Edit: Changed wording from blaming the postal service.
That's the problem with blame culture. It needs to be someones (emphasis ONE) fault, and then anyone else can breathe a sigh of relief and move on.
It's blatantly irresponsible that SSI even has the infrastructure to burn CDs with this information on it (it needs to live in heavily secured, jealously guarded and scrupulously audited (ideally airgapped) computer system). If they absolutely need this capability, it's blatantly irresponsible to let such a CD out of the care of trusted employees -- and if they absolutely need to post it, they need to heavily encrypt it.
I apologise, that summary was inaccurate. But parent's wording seemed to indicate that the SSI had sent the letter to the wrong recipient when that was not the case. I wanted to clear that up.
The problem is that SSI sent the data unencrypted.
I hate to tell you this but such information is widely emailed around as excel spreadsheet attachments by unthinking people. I would virtually guarantee it happens every day.
Likely the capability exits for when someone moves to another part of the country, and the local doctor wants to check the new patient's medical history.
Note also that the data was meant for what i assume is the national statistics office. Likely for investigating changes in danish public health over recent years.
Unless by airgapped you mean to build a separate, free standing, network just for delivering medical records to doctor's offices around the nation.
First, this is not about doctors exchanging patients' medical histories, it's about two central government offices exchanging everybody's medical histories.
Second, the fact that security is (really!) hard is not a valid argument against doing it.
Third, there's a huge difference between the appropriate levels of security around individual patients' medical histories, a single doctors office worth of patients' data, and then the collective medical histories for every single patient in the nation.
> Third, there's a huge difference between the appropriate levels of security around individual patients' medical histories, a single doctors office worth of patients' data, and then the collective medical histories for every single patient in the nation.
Hang on: If you're extracting an individual's medical data and putting that on a USB stick you better make sure it's encrypted, and that there are audit trails in place for who extracted the data, when, and why, and where they put it.
That it is hard isn't an excuse. That the customers don't pay for security is. And by pay I mean not only the paycheck but also funding and giving prestige and power to doing so. Government IT security is often seen as a necessary evil and most troubles stem from that view.
If you buy a cheap knockoff don't complain when it turns out to not be as good.
No long, I'd imagine. But again there is little to no way to figure out for sure whether the Chinese government has this information. The story really highlights the careless handling of data, because the chances of the Chinese government (or any other third part) getting access to these data is way too high.
What kind of interest would you say the Chinese government has in the health records of a few million Danish residents? I don't know, maybe it's really important, but then maybe it's not that critical after all.
Hi, nice to meet you Johan! Can I get you a drink? Oh, you're an electrician? That's nice, I sell light fixtures.
...
Good to see you again Johan! You'll never believe, I was down at XYZ Clinic yesterday, and they'd left your file out!! Careless right? How did you break it to your wife you had herpes? Oh, she didn't know?! Man, sorry I mentioned it, I'll keep that quiet for sure.
...
Man, it's been a hard month Johan. Sales are down! Hey, you told me you worked at the DaneSecure building right? Oh you didn't? Someone else must have told me that. But look, don't worry. I can keep secrets!! Look could you do me a favour? I need to know what kind of light fixtures they use at DaneSecure so I can pitch to them. Could you take a look and let me know? I'd like to know what kind they are, and specifically, how many are installed on Level 7. You know we're friends, because you know I can keep my mouth shut.
...
Johan, we have a problem!!! My boss said that because we're Chinese-owned, you telling me about the light-fittings in a classified area is technically passing on state secrets!!! You have a lawyer right? No?! OK, here's the plan, don't tell anybody, and we'll figure a way to keep us both out of jail!
...
Are you OK Johan? You look kind of pale. You haven't been worrying about this all week have you? Oh you have? OK well don't worry, I've got a solution. My boss has said he thinks he can stop our corporate lawyers reporting it, and we'll both be fine. There's a small catch favour he wants from us though. He needs to know the power consumption of the floor to help us tailor our pitch. Do you think you could plug this thing in to a light fixture for me? I think we're both going to be fine...
...
Johan, I have some bad news for you? Remember I said I sold light fixtures? Well that wasn't the whole truth...
They use it can track the movements of Chinese residents abroad, to blackmail Danes who are assisting Chinese disidents, run scams at doctors offices or insurers in order to get documentation for spies. I am sure there is more, I am no expert in this sort of thing.
Plus identity theft to help spies assume a false identity when gathering information. And of course: Selling the health records to insurers in order to allow them to set prices for prospective customers. I'm sure insurance companies would pay nicely for this.
1. Denmark does not have a private health insurance market.
2. Any company even considering about doing this would be in a huge pot of boiling water, if the public, or the police got wind of it.
Any above-board business would not want to touch lost/stolen health data with a ten-foot pole. In addition to the legalities of this, this opens a huge liability hole, in terms of keeping it secure.
Executive blackmail I imagine. You're a Chinese billionaire with connections to the government, you are in the midst of a deal with a large Danish corporation, you email you're government contacts for the medical records of all the executives of that company. You find out one is an alcoholic, one has recently contracted herpes (and his wife hasn't), and so forth.
Just to give some perspective: These are the confidential ID numbers and health records, including for example psychiatric information, of more than 90 percent of the Danish population.
It's not legal, but many organisations still trust you are, who you say you are, if you provide name and the ID number. You can still call some banks in Denmark and get information on the account balance if you state name, account number and the ID number. Same with the tax authorities and some public authorities.
The health records are likely to include information that can be used to blackmail our politicians, business people etc. since just about everybody in Denmark uses the public health care system.
They aren't confidential, at least not more than your full name. It's a common myth, probably stemming from the fact that there's plenty of laws about how to treat information that can be used to identify people. But those laws pretty much also applies if you just a have list of peoples full name.
Edit: Reading through the law, they are more confidential than your full name, though not by much. Generally you can't publish them publicly. And usage within companies and the state are regulated, but fairly permissive. Datatilsynet has explicitly said that they shouldn't be used to identity that a person is who they say they are, and only should be used as a primary key to differentiate people.
Considering everyone and their cousin has your CPR number over here, I fail to see how it could be seen as confidential. My landlord has my CPR, my company has my CPR, my network operator has my CPR, and my language school has my CPR.
Not knowing my CPR has never been a problem, but knowing it has never been an advantage. It's a unique ID as a citizen, but that's as far as it goes.
Every time I call my bank, I have to give the amount of cash available on my account for them to "authenticate" me, or tell them when was the last time I logged on to the website.
They used to be regarded as confidential here in Norway but that has been rather de-emphasised in recent years. But you won't get anywhere asking for information from a bank if you only have the account and personnummer because all the banks here require two factor authentication, as far as I know.
This happens more than you think, although not usually at this scale and this high up in the chain. When a care institution needs to communicate with one of their vendors handling health records about a problem with a specific person's record, most IT-workers at those institutions tend to just mail all details they feel are relevant to the issue without even considering encryption or the necessity of sending all that data over the wire.
The use of physical post here was probably a good thing all things considered! They could just as easy have used WeTransfer or some other cloud solution — when it comes to security best practices people are very good at downplaying the potential risk, even when legislation does acknowledge it and forbids such treatment of sensitive personal information.
> most IT-workers at those institutions tend to just mail all details they feel are relevant to the issue
Not necessarily disbelieving you, but why do you say this? Every place I've worked or contracted at with PII, I've had to sit through training about not doing this, and management provided tools for proper handling.
I don't mean to say that because there are policies that no one ever breaks them. I've also encountered places where what was encouraged on the ground was different than what was listed in policy.
I work for a SaaS vendor of health care record software. From what I have seen care institutions (as opposed to hospitals) do not have the experience or staff in-house to facilitate proper security procedures. The problem as I see it lies not in the routine operations that have a high degree of visibility in the organisation and tend to have strict policies surrounding them because they are anticipated, but in the exceptions, such as key users or the IT support responsible for the service they use reporting issues to the vendor.
IANAL, and can't profess to any knowledge whatsoever of Danish law, but opening a package clearly addressed to someone else without permission may be reasonable grounds for litigation.
Though to the question "what good will that do", you're right, it's not like new health records can be issued.
Depending on the details of what was shared and what ties them to an individual though, I suppose it might be possible to issue new IDs.
So? An unencrypted CD was accessible for a time period to a third party. It's good security practice to consider the data to be compromised. Especially a powerful, malicious actor will put in effort to make it appear that this is not the case.
If anything, this requires a severe audit of the security practices of the affected organisations. Moreover, I think citizens of Denmark are entitled to know what information about their personal health records is leaked.
As a Danish person living in China, I don't know how to feel about this.
In some weird way, I think it was a good thing this got delivered to the China visa office and not next door to them, in which case we would probably never have heard about this mistake and for sure it wouldn't be top post here. There is a good headline to be found in this story, as I have just discovered when browsing the Danish news.
If this information is handled so recklessly and so nonchalant, it makes me wonder what other people within Denmark also have access to this information. Students, secretaries, interns? Can I register as a scientist and get access? Who exactly has access to my information? I would like to know the answer to this question.
I know that visa office and have been there many times. It is not a Chinese government run operation but a private company handling the incoming paper work for visa applications, which get submitted for review at the Chinese run Chinese embassy :P
I wonder if this would have been a story if a country other than China was involved. Of course, the information was carelessly handled but then again worse things have happened.. like sending a missile to the wrong address. The bias in the article is interesting, with the author of the article putting the words 'by mistake' in quotes to signal that the mere act of opening the package is suspicious. Over the years I have blindly opened plenty of mailed packages only to realize that it was actually addressed to someone else.
Yeah, it is not that big of a deal. Wrong address.. Happens all the time..
As a Danish person, I am really interested in the process of packaging these CD's. Who burned them? Who was in the room? Who collected that data? Was it an intern? Maybe a secretary? That is some really personal information. Maybe I can register as a researcher and get access? I dont know, but I want to find out. Maybe there is a really sophisticated social engineering attack hiding in this story....
The story from the Chinese Visa Application Office (CVAO) is that an employee opened the letter "by mistake":
>"It said that it was contacted by an employee of the Chinese Visa Application Centre who said she opened the letter addressed to Statistics Denmark “by mistake” but then delivered the package to the statistics agency." (TheLocal, linked above, http://www.thelocal.dk/20160720/five-million-danish-id-numbe...). //
Having worked as a civil servant I find this unlikely if it were properly addressed. In the office I worked at all mail came in via a mail room who checked and registered it and directed it to relevant personnel.
Presumably the CVAO receive a lot of mail, they must have a dedicated system for recording [because we're talking about legal documents and receipt dates therefore are important to record] and directing that mail. So a piece of mail comes in for "Statistics Denmark", now what happens?
What I'd expect is it's sent to a mail-room manager to handle. They can then either redirect the mail unopened or forward it to some other personnel. I really can't see them just opening things "by accident" at all. They have a choice to honestly redirect unopened or to actually open it. Now, the opening may have been an individual's simple curiosity, for sure.
Interested in any other analysis particularly with reference to how mail receipt is handled in other country's civil service locations. I expect things have moved on somewhat, something like 'tag with barcode, photograph and the computer records the article' is probably the current workflow?
well, the Danish mail service who's one of its main purposes is to read and process the mailing address correctly failed. And they most likely have _many_ more processes and safeguards than any office mailroom.
I am a Dane. I have twice received mail incorrectly sent to my current address. One was sent to somebody with a different name, to an address that was close to but not the same as my previous address, the other was to a person who may have lived here but was not the previous occupant.
This does not include the letters that should have gone to my neighbors but was put in the wrong letter box.
While I naturally assume this is deliberate I won't rule out that this is just complete incompetence.
You noticed that they were misaddressed though, right?
Now imagine you work in an office handling personal identity papers and travel documents mishandling of which is probably a sack-able offense and possibly a criminal one too. Every piece of mail entering your address has to be date registered and properly redirected. Do you think you'd just open letters without looking at the address?
The Danish mail service presumably handles several orders of magnitude more mail per member of staff than an office mail room too.
In a civil service establishment handling legal documents you have to have controls on the mail, no member of staff is just going to open a piece of misaddressed mail willy-nilly, it's going to follow procedure especially in an office handling identity papers.
These things keep happening in Denmark but the thing is, very few people actually care here. Avoiding mistakes of this caliber isn't rocket science but it does take a little effort and awareness and as long as nobody cares there is no motivation to make that effort.
In that sense this is just giving people what they're asking for. They're not asking for security so they're not getting it.
Yes that's true - The Data Protection Agency see no reason to take any further action in this case. Their assessment is that there is a low likelihood of an actual leak (based on a written statement from the Chinese employee who opened the letter). And the SSI has promised to send such information encrypted going forward.
If I were a senior official at the Chinese foreign service, and I heard that one of my employees got such a CD and just gave it back to the Danes without notifying higher-ups, then I would want that employee's head.
On the other hand, if I were a senior official in the Danish foreign service, then I would find my life a lot easier if no one was kicking up a fuss about the Chinese.
I know that visa office. I am not so concerned about them. That package could have been delivered anywhere.
What I mean is that it is private company handling incoming paper work just like any other company in that building. It happens to be doing paper work for the Chinese embassy.
I am more concerned about who put that information on those CD's and why did those people have access to that information. That information should be treated like a radioactive piece of material.
Sending this sort of data through the mail unencrypted shouldn't be legal to start with, imho. It's just a matter of time before it ends up in the wrong person's hands by accident.
As others write, the data protection agency doesn't have any real power. As a result very few companies and even other government agencies really care about the opinion of the data protection agency.
It doesn't make sense to fine anyone, or even try to prosecute, because everyone will just claim that they are just doing as instructed, and a fine to government agency is a little weird.
The issue is a very combination of a belief that any problem can be slowed using IT, and at the same time refusing to make any effort to understand IT. In terms of IT the Danish government is completely ignorant, bordering on the incompetent.
I don't think I would be completely of, if I claim that almost no one working in Denmark has ever received any real training in basic IT, and least of all in data protection. It's naively assumed that everyone in society has the skills required use a computer, and threat data with the care that is needed.
The basic issue is that the person in charge of making the CDs didn't see an issue with not encrypting them, or not knowing how to do so. It a culture of incompetence and happy ignorance.
> the data protection agency doesn't have any real power.
Which is a shame, because the Charter of Fundamental Rights of the European Union is suppose to guarantee that data protection issues are protected by an independent body.
Datatilsynet (Data Protection Agency) has no actual powers. They can only raise fingers. Parliament has decided not to actually grant them any powers but say mean things. Datatilsynet themselves have on numerous occasions admitted that they are pretty powerless.
The Danish personal identification numbers are useless for identifying someone since we pretty much give them out to anyone who asks for it, and they can be calculated using some methods, which have been done to some politicians just to show the flaws in the system behind them.
Not Danish so I don't know their laws, but in the US not encrypting the disk would be a violation of HIPAA. In-house courier would work but isn't necessary. FedEx at least, I am sure the others do too, provide services for transporting secure information. Though you have to make use of them, you don't just drop it off with the regular shipping as seems to have been done here.
How much effort is it to encrypt the contents first, virtually none. Items get dropped, go missing, etc. - given the importance of the data then they should have both encrypted (one-time pad, used a secure side-channel to pass the key at the point when it was required) and used a trusted delivery system.
Disclaimer: I 100% believe in the idiom "don't attribute to malice what could equally be caused by ignorance".
But I think all those involved should have permanent monitoring on their bank accounts and living status incase a suspiciously large wire were to come from a Chinese entity. This is happening way to often not to become a source of plausible deniability to future criminals. "It was an accident officer I swear!". Sympathies to all those effected by this incident.
Quick recap since it's in Danish: A danish health authority, SSI, accidentally mailed two CDs containing unencrypted CPR-numbers and health records for 5.28m residents to the Chinese Visa Application Office.
The Chinese delivered the letter to the intended recipient, Statistics Denmark, another danish government authority.
The bubble cushioned mailer containing the CDs had been opened, but regardless the issue of course is the extremely reckless handling of very sensitive information.
Edit: Article reporting on this in English http://www.thelocal.dk/20160720/five-million-danish-id-numbe...
Edit 2: The specification and structure of the data that was sent with these CDs. https://twitter.com/christianpanton/status/75574223004496691... (also in Danish, but this seems to include almost everything; the carelessness in handling this data appears to have been surpassed only by the extent and completeness of it)