In 2015, the Danish State Serum Institute (SSI) sent a package to Statistics Denmark containing two CDs with the ID numbers and health information of 5,282,616 people who lived in Denmark between 2010-2012. According to Datatilsynet, the package was sent by registered mail and was mistakenly "delivered to the Chinese Visa Application Centre."
Statistics Denmark claimed that, by the time the package reached them, it had already been opened. The Data Protection Agency wrote, "The CDs contained information on personal [ID] numbers and health information, but not names or addresses. The CDs were not encrypted." Datatilsynet also criticized SSI for releasing sensitive information in an unencrypted format.
SSI responded saying, "We are talking about sensitive personal data of a very extensive character and it cannot be ruled out that it could have had concrete consequences for the affected individuals if the information had actually reached unauthorized individuals." They claim they are under the "perception" that the data "neither reached other people nor was seen by other people."
SSI claimed they were contacted by a Chinese Visa Application Centre employee who accepted responsibility for opening the package "by mistake." They said they have "not found reason to doubt" her story.
Denmark’s CPR number system has been criticized for not being fortified against identity theft and hacking, and this isn’t the first time Danish citizens have had their private information exposed.
In 2014 over 900,000 ID numbers were released online, available for an hour before being removed. At least 18 companies collected the information for marketing purposes, and later had to prove that they had deleted it.
Two weeks prior, former police officer and “hacktivist” Lars Kragh Andersen was arrested for releasing the social security numbers of Defence Minister Nicolai Wammenin and Prime Minister Helle Thorning-Schmidt, as part of a digital protest against online surveillance.
Wammenin and Thorning-Schmidt were two of 91 politicians that had their information leaked. The activists wrote in an online statement, "The fact that you are actively supporting the law, [which] allows the Center for Cyber Security to intercept communications from the Danish citizens without a warrant, and call the deserved response an 'attack on the democracy' proves our point very well: You are the same hypocrites as always…you of all people, are trying to teach us about democracy?"