Denmark's most devastating hacker attack could have been prevented from escalating if the national police Rigspolitiet and the IT company CSC had reacted to a critical report by Deloitte in June 2012, Politiken reports.
By the time Deloitte had warned authorities that their systems were sensitive to cybercrime, hackers had already gained access to personal data from the driving licence database and a register of wanted persons in the Schengen Region.
Over a period lasting at least four and half months in 2012, the hackers stole four million Danish driving licence ID numbers from the police database. However, it took a tip-off from the Swedish authorities nine months later, in March 2013, before the Danish police and CSC realised the seriousness of the case.
The smoking gun
Ignoring the report was a big mistake, according to Peter Kruse, the head of CSIS Security Group.
“The report is the smoking gun when it comes to the lousy IT security that made the hacking attack possible,” he told Politiken.
"It goes like this: Deloitte sends a piece of paper to CSC and Rigspolitiet telling them that all doors and windows in their house are open. At the same time, the uninvited guests sneak around and take everything they want from the house. But neither CSC nor Rigspolitiet reacts."
Michael Steen Hansen, the head of IT at Rigspolitiet, responded to the criticism and confirmed that the police didn’t analyse the consequences. Back then, it lacked the evidence to back the suspicion that the systems had been hacked.
The trial against the two hackers will begin in September.