Coalition parties eyeing new CPR number system

Identity theft is made easier by Denmark’s national social security number system, which includes information about age and sex

As the national social security (CPR) number system continues to display vulnerability to ID theft, coalition parties Radikale and Socialdemokraterne are leaning towards making a change.

A study carried out by the University of Copenhagen this week showed that up to 50,000 Danes will fall victim to identity theft this year.

“We can see that identity theft is rife and can conclude that CPR numbers are relatively easy to get hold of,” Andreas Steenberg, the IT spokesperson for Radikale, told DR Nyheder. 

Use NemID instead
Steenberg said that websites that allow users to log in using their CPR numbers are particularly risky, because the CPR number includes details about the person’s age and sex. He said that the NemID log-in system should be used instead.

“Just by gaining access to another person’s insurance card [sygesikringskort], you can buy things from companies, leaving the unfortunate victim with a massive bill,” Steenberg said.

The NemID system, however, has shown itself to be vulnerable to hacker attacks and thefts. Earlier this year, hackers behind a DDoS attack on NemID said they were able to shut down the system with a programme purchased online for less for $10 (a little less than 60 kroner).

READ MORE: Hackers paid next to nothing to shut down NemID

Council wants new system by 2015
The digital security committee, Rådet for Digital Sikkerhed, recommends that the 45-year-old CPR system be replaced altogether because it fails to live up to the security demands of today's digitalised world.

The CPR registry was established in 1968 and contains the name, address, ID number, date, citizenship, place of birth and other information of everyone within the system. Individuals' CPR numbers consist of their birth date as the first six digits, followed by four unique digits. The CPR numbers of males end in an odd digit, while females' numbers end in an even digit.   

Rådet for Digital Sikkerhed urged the government to consider a new system that does not include personal information that can be abused.

“We must reduce the risk of abuse and our private information should only be shared when it is absolutely necessary,” Birgitte Kofod Olsen, the head of Rådet for Digital Sikkerhed, told Jyllands-Posten newspaper. “There is often no need to disclose one's age and sex, so this information should be removed altogether.”

The committee argued that a revision of the CPR system should be followed up with new guidelines for digital identification and authentication. These guidelines should be in place before the bidding process for the replacement for the current NemID system begins in 2015.

ID theft at record highs
Police statistics reveal that identity theft has increased four-fold since 2008 and they contend that lax security practices by retailers and the outdated CPR system have made it easier for someone to lift another person’s identity.

The risk of ID theft was also laid bare for Margrethe Vestager (Radikale), the interior and economy minister, earlier this year when a TV2 News reporter went online and in less than two minutes found the last four digits of the minister’s CPR number simply by searching Vestager’s name and birthday.

Radikale's government coalition partners, Socialdemokraterne, agreed that there were weaknesses in the current CPR system, but have not yet taken an official stance on the matter.

Factfile | How to change the CPR system

Rådet for Digital Sikkerhed proposed that the CPR number system should be changed in the following order over several years:

Step 1 – People who have been victims of ID theft and have had their personal ID numbers irreversibly compromised should be offered new personal ID numbers.

Step 2 – For a reasonable price, citizens, who wish to do so, should be granted a new personal ID number that does not include information about their age and sex.

Step 3 – All other citizens should be assigned a new personal ID number that does not include information of their age and sex. New insurance cards, passports and drivers licences should also be issued.

Step 4 – In the long run, the current CPR system should be replaced by a new digital ID system that is secure and that protects the person’s private life details.