Quick recap since it's in Danish: A danish health authority, SSI, accidentally mailed two CDs containing unencrypted CPR-numbers and health records for 5.28m residents to the Chinese Visa Application Office.
The Chinese delivered the letter to the intended recipient, Statistics Denmark, another danish government authority.
The bubble cushioned mailer containing the CDs had been opened, but regardless the issue of course is the extremely reckless handling of very sensitive information.
Edit: Article reporting on this in English http://www.thelocal.dk/20160720/five-million-danish-id-numbe...
Edit 2: The specification and structure of the data that was sent with these CDs. https://twitter.com/christianpanton/status/75574223004496691... (also in Danish, but this seems to include almost everything; the carelessness in handling this data appears to have been surpassed only by the extent and completeness of it)
Post Danmark (postal service) accidentally delivered the letter to Chinese Visa Application Centre instead. When the employee responsible for receiving the letter noticed the mistake upon opening, the employee turned the letter with the two CDs to Statistics Denmark.
According to the employee's story, this was done immediately. And the investigation team says they have no reason to doubt the validity of her story.
To sum up: The investigation team believe that the Chinese Visa Application Centre never actually saw the contents on the CDs. SSI sent the data unencrypted, and the postal service delivered the letter to the wrong recipient.
Edit: Changed wording from blaming the postal service.
It's blatantly irresponsible that SSI even has the infrastructure to burn CDs with this information on it (it needs to live in heavily secured, jealously guarded and scrupulously audited (ideally airgapped) computer system). If they absolutely need this capability, it's blatantly irresponsible to let such a CD out of the care of trusted employees -- and if they absolutely need to post it, they need to heavily encrypt it.
It's not meaningfully "the post service's fault".
It's not legal, but many organisations still trust you are, who you say you are, if you provide name and the ID number. You can still call some banks in Denmark and get information on the account balance if you state name, account number and the ID number. Same with the tax authorities and some public authorities.
The health records are likely to include information that can be used to blackmail our politicians, business people etc. since just about everybody in Denmark uses the public health care system.
The use of physical post here was probably a good thing all things considered! They could just as easy have used WeTransfer or some other cloud solution — when it comes to security best practices people are very good at downplaying the potential risk, even when legislation does acknowledge it and forbids such treatment of sensitive personal information.
Not necessarily disbelieving you, but why do you say this? Every place I've worked or contracted at with PII, I've had to sit through training about not doing this, and management provided tools for proper handling.
I don't mean to say that because there are policies that no one ever breaks them. I've also encountered places where what was encouraged on the ground was different than what was listed in policy.
Denmark has a population of 5.7m residents, so this is almost all Danes.
In some weird way, I think it was a good thing this got delivered to the China visa office and not next door to them, in which case we would probably never have heard about this mistake and for sure it wouldn't be top post here. There is a good headline to be found in this story, as I have just discovered when browsing the Danish news.
If this information is handled so recklessly and so nonchalant, it makes me wonder what other people within Denmark also have access to this information. Students, secretaries, interns? Can I register as a scientist and get access? Who exactly has access to my information? I would like to know the answer to this question.
I know that visa office and have been there many times. It is not a Chinese government run operation but a private company handling the incoming paper work for visa applications, which get submitted for review at the Chinese run Chinese embassy :P
As a Danish person, I am really interested in the process of packaging these CD's. Who burned them? Who was in the room? Who collected that data? Was it an intern? Maybe a secretary? That is some really personal information. Maybe I can register as a researcher and get access? I dont know, but I want to find out. Maybe there is a really sophisticated social engineering attack hiding in this story....
>"It said that it was contacted by an employee of the Chinese Visa Application Centre who said she opened the letter addressed to Statistics Denmark “by mistake” but then delivered the package to the statistics agency." (TheLocal, linked above, http://www.thelocal.dk/20160720/five-million-danish-id-numbe...). //
Having worked as a civil servant I find this unlikely if it were properly addressed. In the office I worked at all mail came in via a mail room who checked and registered it and directed it to relevant personnel.
Presumably the CVAO receive a lot of mail, they must have a dedicated system for recording [because we're talking about legal documents and receipt dates therefore are important to record] and directing that mail. So a piece of mail comes in for "Statistics Denmark", now what happens?
What I'd expect is it's sent to a mail-room manager to handle. They can then either redirect the mail unopened or forward it to some other personnel. I really can't see them just opening things "by accident" at all. They have a choice to honestly redirect unopened or to actually open it. Now, the opening may have been an individual's simple curiosity, for sure.
Interested in any other analysis particularly with reference to how mail receipt is handled in other country's civil service locations. I expect things have moved on somewhat, something like 'tag with barcode, photograph and the computer records the article' is probably the current workflow?
At such a small distance, if such large amounts of confidential information must be delivered, I feel that it ought to be hand-delivered.
In that sense this is just giving people what they're asking for. They're not asking for security so they're not getting it.
Is that true? No-one is fined or prosecuted for this? Or even sacked?
On the other hand, if I were a senior official in the Danish foreign service, then I would find my life a lot easier if no one was kicking up a fuss about the Chinese.
Or so they say.
It seems impossible to prevent these kinds of "stupid" mistakes from happening.
My doctor still works mostly on a paper based system, so in the worst kind of situation just his patients data are lost.
Are there any alternatives that prevent those kinds of leaks - esp. considering that even the NSA got out-Snowdened.
We detached this subthread from https://news.ycombinator.com/item?id=12128662 and marked it off-topic.
But I think all those involved should have permanent monitoring on their bank accounts and living status incase a suspiciously large wire were to come from a Chinese entity. This is happening way to often not to become a source of plausible deniability to future criminals. "It was an accident officer I swear!". Sympathies to all those effected by this incident.
This does not include the letters that should have gone to my neighbors but was put in the wrong letter box.
While I naturally assume this is deliberate I won't rule out that this is just complete incompetence.
In a civil service establishment handling legal documents you have to have controls on the mail, no member of staff is just going to open a piece of misaddressed mail willy-nilly, it's going to follow procedure especially in an office handling identity papers.
It doesn't make sense to fine anyone, or even try to prosecute, because everyone will just claim that they are just doing as instructed, and a fine to government agency is a little weird.
The issue is a very combination of a belief that any problem can be slowed using IT, and at the same time refusing to make any effort to understand IT. In terms of IT the Danish government is completely ignorant, bordering on the incompetent.
I don't think I would be completely of, if I claim that almost no one working in Denmark has ever received any real training in basic IT, and least of all in data protection. It's naively assumed that everyone in society has the skills required use a computer, and threat data with the care that is needed.
The basic issue is that the person in charge of making the CDs didn't see an issue with not encrypting them, or not knowing how to do so. It a culture of incompetence and happy ignorance.
Which is a shame, because the Charter of Fundamental Rights of the European Union is suppose to guarantee that data protection issues are protected by an independent body.
What I mean is that it is private company handling incoming paper work just like any other company in that building. It happens to be doing paper work for the Chinese embassy.
I am more concerned about who put that information on those CD's and why did those people have access to that information. That information should be treated like a radioactive piece of material.
Now imagine you work in an office handling personal identity papers and travel documents mishandling of which is probably a sack-able offense and possibly a criminal one too. Every piece of mail entering your address has to be date registered and properly redirected. Do you think you'd just open letters without looking at the address?
Also your question has a 1 in 5 chance of the answer being "Yes".
> Also your question has a 1 in 5 chance of the answer being "Yes".
Assuming a uniform distribution of postman nationality. If we go by the CS literature, postmen seem always to be Chinese. :)Edit: Reading through the law, they are more confidential than your full name, though not by much. Generally you can't publish them publicly. And usage within companies and the state are regulated, but fairly permissive. Datatilsynet has explicitly said that they shouldn't be used to identity that a person is who they say they are, and only should be used as a primary key to differentiate people.
Not knowing my CPR has never been a problem, but knowing it has never been an advantage. It's a unique ID as a citizen, but that's as far as it goes.
Every time I call my bank, I have to give the amount of cash available on my account for them to "authenticate" me, or tell them when was the last time I logged on to the website.
IANAL, and can't profess to any knowledge whatsoever of Danish law, but opening a package clearly addressed to someone else without permission may be reasonable grounds for litigation.
Though to the question "what good will that do", you're right, it's not like new health records can be issued.
Depending on the details of what was shared and what ties them to an individual though, I suppose it might be possible to issue new IDs.
If anything, this requires a severe audit of the security practices of the affected organisations. Moreover, I think citizens of Denmark are entitled to know what information about their personal health records is leaked.
assume they have it.
What kind of interest would you say the Chinese government has in the health records of a few million Danish residents? I don't know, maybe it's really important, but then maybe it's not that critical after all.
The problem is that SSI sent the data unencrypted.
Note also that the data was meant for what i assume is the national statistics office. Likely for investigating changes in danish public health over recent years.
Unless by airgapped you mean to build a separate, free standing, network just for delivering medical records to doctor's offices around the nation.
Second, the fact that security is (really!) hard is not a valid argument against doing it.
Third, there's a huge difference between the appropriate levels of security around individual patients' medical histories, a single doctors office worth of patients' data, and then the collective medical histories for every single patient in the nation.
Hang on: If you're extracting an individual's medical data and putting that on a USB stick you better make sure it's encrypted, and that there are audit trails in place for who extracted the data, when, and why, and where they put it.
If you buy a cheap knockoff don't complain when it turns out to not be as good.
...
Good to see you again Johan! You'll never believe, I was down at XYZ Clinic yesterday, and they'd left your file out!! Careless right? How did you break it to your wife you had herpes? Oh, she didn't know?! Man, sorry I mentioned it, I'll keep that quiet for sure.
...
Man, it's been a hard month Johan. Sales are down! Hey, you told me you worked at the DaneSecure building right? Oh you didn't? Someone else must have told me that. But look, don't worry. I can keep secrets!! Look could you do me a favour? I need to know what kind of light fixtures they use at DaneSecure so I can pitch to them. Could you take a look and let me know? I'd like to know what kind they are, and specifically, how many are installed on Level 7. You know we're friends, because you know I can keep my mouth shut.
...
Johan, we have a problem!!! My boss said that because we're Chinese-owned, you telling me about the light-fittings in a classified area is technically passing on state secrets!!! You have a lawyer right? No?! OK, here's the plan, don't tell anybody, and we'll figure a way to keep us both out of jail!
...
Are you OK Johan? You look kind of pale. You haven't been worrying about this all week have you? Oh you have? OK well don't worry, I've got a solution. My boss has said he thinks he can stop our corporate lawyers reporting it, and we'll both be fine. There's a small catch favour he wants from us though. He needs to know the power consumption of the floor to help us tailor our pitch. Do you think you could plug this thing in to a light fixture for me? I think we're both going to be fine...
...
Johan, I have some bad news for you? Remember I said I sold light fixtures? Well that wasn't the whole truth...
1. Denmark does not have a private health insurance market.
2. Any company even considering about doing this would be in a huge pot of boiling water, if the public, or the police got wind of it.
Any above-board business would not want to touch lost/stolen health data with a ten-foot pole. In addition to the legalities of this, this opens a huge liability hole, in terms of keeping it secure.