Quick recap since it's in Danish: A danish health authority, SSI, accidentally mailed two CDs containing unencrypted CPR-numbers and health records for 5.28m residents to the Chinese Visa Application Office.
The Chinese delivered the letter to the intended recipient, Statistics Denmark, another danish government authority.
The bubble cushioned mailer containing the CDs had been opened, but regardless the issue of course is the extremely reckless handling of very sensitive information.
Edit: Article reporting on this in English http://www.thelocal.dk/20160720/five-million-danish-id-numbe...
Edit 2: The specification and structure of the data that was sent with these CDs. https://twitter.com/christianpanton/status/75574223004496691... (also in Danish, but this seems to include almost everything; the carelessness in handling this data appears to have been surpassed only by the extent and completeness of it)
Post Danmark (postal service) accidentally delivered the letter to Chinese Visa Application Centre instead. When the employee responsible for receiving the letter noticed the mistake upon opening, the employee turned the letter with the two CDs to Statistics Denmark.
According to the employee's story, this was done immediately. And the investigation team says they have no reason to doubt the validity of her story.
To sum up: The investigation team believe that the Chinese Visa Application Centre never actually saw the contents on the CDs. SSI sent the data unencrypted, and the postal service delivered the letter to the wrong recipient.
Edit: Changed wording from blaming the postal service.
It's blatantly irresponsible that SSI even has the infrastructure to burn CDs with this information on it (it needs to live in heavily secured, jealously guarded and scrupulously audited (ideally airgapped) computer system). If they absolutely need this capability, it's blatantly irresponsible to let such a CD out of the care of trusted employees -- and if they absolutely need to post it, they need to heavily encrypt it.
It's not meaningfully "the post service's fault".
It's not legal, but many organisations still trust you are, who you say you are, if you provide name and the ID number. You can still call some banks in Denmark and get information on the account balance if you state name, account number and the ID number. Same with the tax authorities and some public authorities.
The health records are likely to include information that can be used to blackmail our politicians, business people etc. since just about everybody in Denmark uses the public health care system.
The use of physical post here was probably a good thing all things considered! They could just as easy have used WeTransfer or some other cloud solution — when it comes to security best practices people are very good at downplaying the potential risk, even when legislation does acknowledge it and forbids such treatment of sensitive personal information.
Not necessarily disbelieving you, but why do you say this? Every place I've worked or contracted at with PII, I've had to sit through training about not doing this, and management provided tools for proper handling.
I don't mean to say that because there are policies that no one ever breaks them. I've also encountered places where what was encouraged on the ground was different than what was listed in policy.
Denmark has a population of 5.7m residents, so this is almost all Danes.
In some weird way, I think it was a good thing this got delivered to the China visa office and not next door to them, in which case we would probably never have heard about this mistake and for sure it wouldn't be top post here. There is a good headline to be found in this story, as I have just discovered when browsing the Danish news.
If this information is handled so recklessly and so nonchalant, it makes me wonder what other people within Denmark also have access to this information. Students, secretaries, interns? Can I register as a scientist and get access? Who exactly has access to my information? I would like to know the answer to this question.
I know that visa office and have been there many times. It is not a Chinese government run operation but a private company handling the incoming paper work for visa applications, which get submitted for review at the Chinese run Chinese embassy :P
As a Danish person, I am really interested in the process of packaging these CD's. Who burned them? Who was in the room? Who collected that data? Was it an intern? Maybe a secretary? That is some really personal information. Maybe I can register as a researcher and get access? I dont know, but I want to find out. Maybe there is a really sophisticated social engineering attack hiding in this story....
>"It said that it was contacted by an employee of the Chinese Visa Application Centre who said she opened the letter addressed to Statistics Denmark “by mistake” but then delivered the package to the statistics agency." (TheLocal, linked above, http://www.thelocal.dk/20160720/five-million-danish-id-numbe...). //
Having worked as a civil servant I find this unlikely if it were properly addressed. In the office I worked at all mail came in via a mail room who checked and registered it and directed it to relevant personnel.
Presumably the CVAO receive a lot of mail, they must have a dedicated system for recording [because we're talking about legal documents and receipt dates therefore are important to record] and directing that mail. So a piece of mail comes in for "Statistics Denmark", now what happens?
What I'd expect is it's sent to a mail-room manager to handle. They can then either redirect the mail unopened or forward it to some other personnel. I really can't see them just opening things "by accident" at all. They have a choice to honestly redirect unopened or to actually open it. Now, the opening may have been an individual's simple curiosity, for sure.
Interested in any other analysis particularly with reference to how mail receipt is handled in other country's civil service locations. I expect things have moved on somewhat, something like 'tag with barcode, photograph and the computer records the article' is probably the current workflow?
This does not include the letters that should have gone to my neighbors but was put in the wrong letter box.
While I naturally assume this is deliberate I won't rule out that this is just complete incompetence.
In a civil service establishment handling legal documents you have to have controls on the mail, no member of staff is just going to open a piece of misaddressed mail willy-nilly, it's going to follow procedure especially in an office handling identity papers.
At such a small distance, if such large amounts of confidential information must be delivered, I feel that it ought to be hand-delivered.
In that sense this is just giving people what they're asking for. They're not asking for security so they're not getting it.
Is that true? No-one is fined or prosecuted for this? Or even sacked?
On the other hand, if I were a senior official in the Danish foreign service, then I would find my life a lot easier if no one was kicking up a fuss about the Chinese.
It doesn't make sense to fine anyone, or even try to prosecute, because everyone will just claim that they are just doing as instructed, and a fine to government agency is a little weird.
The issue is a very combination of a belief that any problem can be slowed using IT, and at the same time refusing to make any effort to understand IT. In terms of IT the Danish government is completely ignorant, bordering on the incompetent.
I don't think I would be completely of, if I claim that almost no one working in Denmark has ever received any real training in basic IT, and least of all in data protection. It's naively assumed that everyone in society has the skills required use a computer, and threat data with the care that is needed.
The basic issue is that the person in charge of making the CDs didn't see an issue with not encrypting them, or not knowing how to do so. It a culture of incompetence and happy ignorance.
Which is a shame, because the Charter of Fundamental Rights of the European Union is suppose to guarantee that data protection issues are protected by an independent body.
Or so they say.
It seems impossible to prevent these kinds of "stupid" mistakes from happening.
My doctor still works mostly on a paper based system, so in the worst kind of situation just his patients data are lost.
Are there any alternatives that prevent those kinds of leaks - esp. considering that even the NSA got out-Snowdened.
We detached this subthread from https://news.ycombinator.com/item?id=12128662 and marked it off-topic.
But I think all those involved should have permanent monitoring on their bank accounts and living status incase a suspiciously large wire were to come from a Chinese entity. This is happening way to often not to become a source of plausible deniability to future criminals. "It was an accident officer I swear!". Sympathies to all those effected by this incident.
