Security incident February 2019
The University of Copenhagen has discovered a security breach in which approx. 3,000 civil registration numbers were accessible to a group of employees whose duties involve working on an IT system. Stricter limits on access to personal data in the IT system, deletion of data and new procedures will ensure that this does not happen again.
The civil registration numbers were accessible via an IT system used by approximately 400 members of staff at the University of Copenhagen. The numbers were only visible if an employee actively searched for them.
The security incident occurred in the University’s IT-Self Service system when users set up one of three different requests. The procedure requires users to fill in their civil registration number, name and contact details so that a member of staff at the University of Copenhagen can process their request. The relevant procedures are:
- CPR numbers, connecting
- RejsUd/CWT (External)
- Scanpas, Change address
Some 3,000 people made one of these requests and were therefore affected by the security breach. The incident has been reported to the Danish Data Protection Agency.
Safeguarding data in the future
UCPH IT – the University of Copenhagen IT department, which administers the system – has resolved the security breach by restricting access to these requests to the three people responsible for dealing with such procedures. Unauthorised individuals therefore no longer have access to either current or future requests.
UCPH IT is in the process of deleting data from the system that the University no longer needs. It will also introduce better and more systematic deletion of personal data and ensure more secure procedures in the future.
All of the employees who were able to access the personal data concerned are bound by a duty of confidentiality.
Questions?
If you have any questions, please feel free to contact the University of Copenhagen’s data protection officer.
Lisa Ibenfeldt Schultz
dpo@adm.ku.dk