Published 07-03-2023

Press release: SIRI has reported unauthorised access to personal data to the police

SIRI has terminated the employment of an employee and reported the now former employee to the police for having accessed personal data without authorisation.

A now former SIRI employee has had their employment terminated and been reported to the police for having accessed personal data in the CPR register and/or SIRI’s case processing system without authorisation.

Based on a manual evaluation of more than 50,000 data logs, it is SIRI’s assessment that the former employee may have accessed data belonging to 3,300 persons in the period between January 2021 and November 2022.

As a matter of precaution, SIRI has sent an information letter to all individuals who have potentially been affected. Furthermore, the incident has been reported to the Danish Data Protection Agency (Datatilsynet).

SIRI’s General Director, Trine Rask Thygesen, states:

“This is a very regrettable case, which I take very seriously. We are dealing with an employee who has grossly abused their access to personal data, and consequently, we have terminated their employment and reported the case to the police.

We will do everything in our power to ensure this does not happen again. Consequently, we will review our current procedures and guidelines in order to investigate whether we can do more to prevent abuse of access to personal data.”

About the case in question

On 20 October 2022, SIRI was contacted by a citizen who suspected that a SIRI employee had had unauthorised access to their personal data. Based on the data available at the time, SIRI could not identify the employee.

On 2 November 2022, SIRI managed to identify the employee in question. SIRI was able to conclude that the employee retrieved data, which were of no relevance to the employee’s work-related tasks. By accessing the systems, the employee would have been able to access information such as CPR number, income, family relations and decisions made in cases regarding residence permits and related cases.

On the same day, 2 November 2022, the employee was banned from SIRI’s premises.]Their access card, telephone and computer were confiscated, and their access to SIRI’s IT systems was suspended.

On 3 and 8 November 2022, SIRI contacted our IT providers in order to retrieve data on the employee’s data logs in both the CPR register and SIRI’s case processing system. On 4 and 8 November 2022, we received this data. At that time, SIRI was informed that the CPR register was able to access logging data 13 months back in time. Furthermore, SIRI was at first informed that logging data from SIRI’s case processing system was only preserved for a very short period of time, and that consequently, no more data could be retrieved.

On 4 November 2022, the incident was reported to the Danish Data Protection Agency (Datatilsynet), after which SIRI continued to follow up on the reported breach in the subsequent period.

On 5 and 7 December 2022, SIRI unexpectedly received a new set of data from our IT provider containing 50,000 data retrieved by the employee between January of 2021 and November of 2022, after which SIRI initiated a manual review of the data.

On 7 December 2022, SIRI reported the now former employee to the police.

On 13 December 2022, SIRI began informing approximately 273 affected individuals about the unauthorised access to their personal data based on the initial data set.

On 28 February 2022, based on the comprehensive and time-consuming manual review of the new set of data containing 50,000 data logs, SIRI began informing approximately 3025 affected individuals about the unauthorised access to their personal data.

On 3 March 2023, SIRI reported the additional data breach to the Danish Data Protection Agency (Datatilsynet).

General information regarding the data breach

When SIRI hires new employees, they are always security cleared. On their first day of work, new employees are also introduced to SIRI’s information security policy, just as the mandatory training programme for the entire ministry includes several elements regarding GDPR and information security. SIRI regularly carries out randomised checks of employees’ access to the CPR register. In addition, SIRI carries out audits on user rights and user access in our case processing systems.

On several occasions, SIRI has emphasised the internal guidelines regarding employees’ handling of tasks, including the fact that employees are only authorised to access personal data when this is required in order to carry out concrete work-related tasks.

Following the incident, SIRI has also initiated an evaluation of SIRI’s procedures and guidelines regarding the logging of data, user rights and audits. Among other things, SIRI will review how access is given to SIRI’s systems, to which systems access is given, the extent of the access, how audits are carried out, which data loggings are registered, under which circumstances data logs can be accessed, how long log data is preserved, and under which circumstances employees’ access to systems can be suspended.

Contact information for enquiries from the press

SIRI’s press phone: +45 72 14 21 00

SIRI's press email: presse@siri.dk