Communication regarding a personal data breach in the Danish Ministry of Immigration and Integration, the Danish Return Agency, the Danish Immigration Service and the Danish Agency for International Recruitment and Integration. The personal data breach concerns the risk of unauthorised access to personal data in the Ministry’s and the Agencies’ old backups of the immigration authorities’ central case processing systems, prior to March 2020. The Danish Data Protection Agency has been notified of the breach.
The personal data breach was discovered after an enquiry from the supplier. The supplier is a public authority. Subsequent investigations showed that due to an error the Ministry’s and the Agencies’ old backups did not have adequate restrictions on access. This resulted in some of the supplier’s employees having had access to the Ministry’s and the Agencies’ old backups, containing personal data, including confidential data, as well as special categories of personal data. There has only been access to the information in the Ministry’s and the Agencies’ old backups and not a general access to the information in the associated case processing systems. It has therefore not been possible to carry out a broad search on for example a full name or CPR-number in order to find personal data on a specific person. It has unfortunately not been possible to determine when the error regarding the restrictions on access occurred. The old backups have been given the correct restrictions on access and the personal data breach has therefore been stopped. The old backups will be deleted when the Danish Data Protection Agency has concluded its case.
The supplier made an enquiry to the Danish Ministry of Immigration and Integration’s IT department on the 11th of February 2021 regarding a possible data breach. The personal data breach was subsequently confirmed and the unauthorised access to the Ministry’s old backup was removed.
The Danish Ministry of Immigration and Integration notified the Danish Data Protection Agency of the personal data breach on the 12th of February 2021. The notification was thus made within the 72-hour limit.
Furthermore, a number of investigations were carried out in order to determine the extent of the personal data breach. It has, however, not been possible for the Danish Ministry of Immigration and Integration and the Agencies to ascertain the exact number of data subjects or the specific amount of personal data affected by the personal data breach.
It is the assessment of the Danish Ministry of Immigration and Integration, the Agencies and the supplier that it is unlikely that the supplier’s employees have gained unauthorised access to the personal data. Recent logs concerning the supplier’s and ministry’s employees access to the old backups have shown that the old backups have been accessed to a limited extent in the last 18 months and that all employees, who have accessed the data in that period, have had a work-related purpose in accessing the data. Furthermore, access to the old backups required specific technical knowledge of the backup types in question, as well as technical knowledge of how possibly encrypted backups are decrypted and read. The backups have at no point been available to persons outside the Ministry, the Agencies and the supplier. The Danish Ministry of Immigration and Integration and the Agencies have no indications that the personal data in question have been exploited, and on the grounds of the above-mentioned assess that it is unlikely, but cannot rule it out, since the logs show activity for the last 18 months. Therefore, the Ministry and the Agencies cannot completely rule out the possibility that someone in preceding months have had access and are thus, from a precautionary perspective, carrying out a public communication whereby all persons that are potentially affected by the personal data breach are informed.
This includes all persons that are registered in the Ministry’s and the Agencies’ case processing systems. The old backups in question concern all of the immigration authorities’ central case processing systems that are used to process cases concerning foreign nationals’ access to and residence in Denmark. This, among others, includes cases concerning asylum, family reunification, permanent residence, and residence permits concerning work, study, au pair and internship.
The Danish Ministry of Immigration and Integration’s old backups contained, among others, personal data in the form of names, CPR numbers or personal ID-numbers, as well as personal data concerning employment, ethnicity, political affiliation, religious belief, health information, criminal offences and/or biometric data.
If an employee accessed the personal data without reason and subsequently exploited the personal data, the possible consequences for the data subject could include the loss of control of one’s personal data and possible identity theft.
The Danish Ministry of Immigration and Integration and the Agencies therefore urge all data subjects to be aware of the possible misuse of their personal data. The misuse of personal data may include being contacted by persons who have information about your immigration case or status. If this happens, you must immediately contact the Danish Ministry of Immigration and Integration and the police.
The Ministry and the Agencies note that all employees in the public sector are governed by duty of confidentiality cf. the Public Administration Act section 27. If an employee has misused the access to the personal data in the backups and violated their duty of confidentiality, the employee can be punished. Furthermore, all suppliers to public authorities are governed by a sanctioned duty of confidentiality cf. the Criminal Code section 152 a. As mentioned above, there is no indications that the personal data in question have been exploited.
Finally, it is noted that the employees in question, that would have been able to access the old backups, hold security clearance.
You can contact the Danish Ministry of Immigration and Integration securely through this link
You can also contact the Ministry of Immigration and Integration’s, The Danish Return Agency's, the Danish Immigration Service’s and the Danish Agency for International Recruitment and Integration's Data Protection Officers via dpo@uim.dk, dpo@hjemst.dk, dpo@us.dk and dpo@siri.dk.