
Five million Danish ID numbers sent to Chinese firm by mistake - mbanzon
http://www.thelocal.dk/20160720/five-million-danish-id-numbers-sent-to-chinese-firm-by-mistake
======
runesoerensen
This is ridiculous. It's not just Danish personal identification numbers, but
_ID numbers and health records_ for everyone who have lived in Denmark from
2010 through 2012.

Quick recap since it's in Danish: A danish health authority, SSI, accidentally
_mailed two CDs_ containing _unencrypted CPR-numbers and health records for
5.28m residents_ to the Chinese Visa Application Office.

The Chinese delivered the letter to the intended recipient, Statistics
Denmark, another danish government authority.

The bubble cushioned mailer containing the CDs had been opened, but regardless
the issue of course is the extremely reckless handling of very sensitive
information.

Edit: Article reporting on this in English
[http://www.thelocal.dk/20160720/five-million-danish-id-
numbe...](http://www.thelocal.dk/20160720/five-million-danish-id-numbers-sent-
to-chinese-firm-by-mistake)

Edit 2: The specification and structure of the data that was sent with these
CDs.
[https://twitter.com/christianpanton/status/75574223004496691...](https://twitter.com/christianpanton/status/755742230044966912)
(also in Danish, but this seems to include almost everything; the carelessness
in handling this data appears to have been surpassed only by the extent and
completeness of it)

~~~
Svip
Correction: SSI sent a letter containing two unencrypted CDs containing CPR-
numbers and health records for 5.28 residents in Danish municipals between
2010 and 2012 to the Danish statistics agency (Statistics Denmark).

Post Danmark (postal service) accidentally delivered the letter to Chinese
Visa Application Centre instead. When the employee responsible for receiving
the letter noticed the mistake upon opening, the employee turned the letter
with the two CDs to Statistics Denmark.

According to the employee's story, this was done immediately. And the
investigation team says they have no reason to doubt the validity of her
story.

To sum up: The investigation team believe that the Chinese Visa Application
Centre never actually saw the contents on the CDs. SSI sent the data
unencrypted, and the postal service delivered the letter to the wrong
recipient.

Edit: Changed wording from blaming the postal service.

~~~
mseebach
That's the problem with blame culture. It needs to be someones (emphasis ONE)
fault, and then anyone else can breathe a sigh of relief and move on.

It's blatantly irresponsible that SSI even has the infrastructure to burn CDs
with this information on it (it needs to live in heavily secured, jealously
guarded and scrupulously audited (ideally airgapped) computer system). If they
absolutely need this capability, it's blatantly irresponsible to let such a CD
out of the care of trusted employees -- and if they absolutely need to post
it, they need to heavily encrypt it.

It's not meaningfully "the post service's fault".

~~~
digi_owl
Likely the capability exits for when someone moves to another part of the
country, and the local doctor wants to check the new patient's medical
history.

Note also that the data was meant for what i assume is the national statistics
office. Likely for investigating changes in danish public health over recent
years.

Unless by airgapped you mean to build a separate, free standing, network just
for delivering medical records to doctor's offices around the nation.

~~~
mseebach
First, this is not about doctors exchanging patients' medical histories, it's
about two central government offices exchanging _everybody 's_ medical
histories.

Second, the fact that security is (really!) hard is not a valid argument
against doing it.

Third, there's a huge difference between the appropriate levels of security
around individual patients' medical histories, a single doctors office worth
of patients' data, and then the collective medical histories for every single
patient in the nation.

~~~
DanBC
> Third, there's a huge difference between the appropriate levels of security
> around individual patients' medical histories, a single doctors office worth
> of patients' data, and then the collective medical histories for every
> single patient in the nation.

Hang on: If you're extracting an individual's medical data and putting that on
a USB stick you better make sure it's encrypted, and that there are audit
trails in place for who extracted the data, when, and why, and where they put
it.

------
mads
As a Danish person living in China, I don't know how to feel about this.

In some weird way, I think it was a good thing this got delivered to the China
visa office and not next door to them, in which case we would probably never
have heard about this mistake and for sure it wouldn't be top post here. There
is a good headline to be found in this story, as I have just discovered when
browsing the Danish news.

If this information is handled so recklessly and so nonchalant, it makes me
wonder what other people within Denmark also have access to this information.
Students, secretaries, interns? Can I register as a scientist and get access?
Who exactly has access to my information? I would like to know the answer to
this question.

I know that visa office and have been there many times. It is not a Chinese
government run operation but a private company handling the incoming paper
work for visa applications, which get submitted for review at the Chinese run
Chinese embassy :P

------
ksk
I wonder if this would have been a story if a country other than China was
involved. Of course, the information was carelessly handled but then again
worse things have happened.. like sending a missile to the wrong address. The
bias in the article is interesting, with the author of the article putting the
words 'by mistake' in quotes to signal that the mere act of opening the
package is suspicious. Over the years I have blindly opened plenty of mailed
packages only to realize that it was actually addressed to someone else.

~~~
mads
Yeah, it is not that big of a deal. Wrong address.. Happens all the time..

As a Danish person, I am really interested in the process of packaging these
CD's. Who burned them? Who was in the room? Who collected that data? Was it an
intern? Maybe a secretary? That is some really personal information. Maybe I
can register as a researcher and get access? I dont know, but I want to find
out. Maybe there is a really sophisticated social engineering attack hiding in
this story....

------
pbhjpbhj
The story from the Chinese Visa Application Office (CVAO) is that an employee
opened the letter "by mistake":

>"It said that it was contacted by an employee of the Chinese Visa Application
Centre who said she opened the letter addressed to Statistics Denmark “by
mistake” but then delivered the package to the statistics agency." (TheLocal,
linked above, [http://www.thelocal.dk/20160720/five-million-danish-id-
numbe...](http://www.thelocal.dk/20160720/five-million-danish-id-numbers-sent-
to-chinese-firm-by-mistake)). //

Having worked as a civil servant I find this unlikely if it were properly
addressed. In the office I worked at all mail came in via a mail room who
checked and registered it and directed it to relevant personnel.

Presumably the CVAO receive a lot of mail, they must have a dedicated system
for recording [because we're talking about legal documents and receipt dates
therefore are important to record] and directing that mail. So a piece of mail
comes in for "Statistics Denmark", now what happens?

What I'd expect is it's sent to a mail-room manager to handle. They can then
either redirect the mail unopened or forward it to some other personnel. I
really can't see them just opening things "by accident" at all. They have a
choice to honestly redirect unopened or to actually open it. Now, the opening
may have been an individual's simple curiosity, for sure.

Interested in any other analysis particularly with reference to how mail
receipt is handled in other country's civil service locations. I expect things
have moved on somewhat, something like 'tag with barcode, photograph and the
computer records the article' is probably the current workflow?

~~~
kayone
well, the Danish mail service who's one of its main purposes is to read and
process the mailing address correctly failed. And they most likely have _many_
more processes and safeguards than any office mailroom.

~~~
tomjen3
I am a Dane. I have twice received mail incorrectly sent to my current
address. One was sent to somebody with a different name, to an address that
was close to but not the same as my previous address, the other was to a
person who may have lived here but was not the previous occupant.

This does not include the letters that should have gone to my neighbors but
was put in the wrong letter box.

While I naturally assume this is deliberate I won't rule out that this is just
complete incompetence.

~~~
pbhjpbhj
You noticed that they were misaddressed though, right?

Now imagine you work in an office handling personal identity papers and travel
documents mishandling of which is probably a sack-able offense and possibly a
criminal one too. Every piece of mail entering your address has to be date
registered and properly redirected. Do you think you'd just open letters
without looking at the address?

------
sidek
Worse, at least according to Google Maps, it is only a 17 minute drive or 28
minute bus ride between Statistics Denmark and the Serum Institute.

At such a small distance, if such large amounts of confidential information
must be delivered, I feel that it ought to be hand-delivered.

------
plesner
These things keep happening in Denmark but the thing is, very few people
actually care here. Avoiding mistakes of this caliber isn't rocket science but
it does take a little effort and awareness and as long as nobody cares there
is no motivation to make that effort.

In that sense this is just giving people what they're asking for. They're not
asking for security so they're not getting it.

------
Symbiote
Google Translate gives me, "Data Protection Agency takes no further action".

Is that true? No-one is fined or prosecuted for this? Or even sacked?

~~~
runesoerensen
Yes that's true - The Data Protection Agency see no reason to take any further
action in this case. Their assessment is that there is a low likelihood of an
actual leak (based on a written statement from the Chinese employee who opened
the letter). And the SSI has promised to send such information encrypted going
forward.

~~~
adrianratnapala
If I were a senior official at the Chinese foreign service, and I heard that
one of my employees got such a CD and just gave it back to the Danes without
notifying higher-ups, then I would want that employee's head.

On the other hand, if I were a senior official in the Danish foreign service,
then I would find my life a lot easier if no one was kicking up a fuss about
the Chinese.

~~~
mads
I know that visa office. I am not so concerned about them. That package could
have been delivered anywhere.

What I mean is that it is private company handling incoming paper work just
like any other company in that building. It happens to be doing paper work for
the Chinese embassy.

I am more concerned about who put that information on those CD's and why did
those people have access to that information. That information should be
treated like a radioactive piece of material.

------
danielweber
To save other people the google search, population of Denmark is 5.6 million.

~~~
atemerev
Good thing I only got mine in 2013! My data should be safe then.

Or so they say.

------
rascul
Here is the Google translated version
[https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...](https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fwww.datatilsynet.dk%2Fafgoerelser%2Fafgoerelsen%2Fartikel%2Fanbefalet-
brev-afleveret-til-en-forkert-modtager%2F&edit-text=&act=url)

------
1337biz
Just came here to ask what do you guys' think about centralized health care
records?

It seems impossible to prevent these kinds of "stupid" mistakes from
happening.

My doctor still works mostly on a paper based system, so in the worst kind of
situation just his patients data are lost.

Are there any alternatives that prevent those kinds of leaks - esp.
considering that even the NSA got out-Snowdened.

------
Zekio
The Danish personal identification numbers are useless for identifying someone
since we pretty much give them out to anyone who asks for it, and they can be
calculated using some methods, which have been done to some politicians just
to show the flaws in the system behind them.

~~~
runesoerensen
Seems more like this make CPR numbers useless for identity verification, but
even easier to identify someone with.

------
neximo64
Absolute incompetence.

------
Angostura
So, to summarise - burning it to CD is actually fine, but they should have
used an in-house courier.

~~~
dang
Please don't be uncharitable in HN comments; i.e. please don't choose a weak
interpretation of what someone said in order to make it look bad.

We detached this subthread from
[https://news.ycombinator.com/item?id=12128662](https://news.ycombinator.com/item?id=12128662)
and marked it off-topic.

------
ben_jones
Disclaimer: I 100% believe in the idiom "don't attribute to malice what could
equally be caused by ignorance".

But I think all those involved should have permanent monitoring on their bank
accounts and living status incase a suspiciously large wire were to come from
a Chinese entity. This is happening way to often not to become a source of
plausible deniability to future criminals. "It was an accident officer I
swear!". Sympathies to all those effected by this incident.

