Data security blunder in Gladsaxe Municipality compounded

Once again, sensitive information about citizens has been leaked by a public body

On Monday, 20,000 citizens in Gladsaxe Municipality were alerted via their e-box that some of their confidential information had been accidentally leaked through a combination of a security procedural breach and a burglary at the municipality.

The information in question included their CPR number, age, gender, address, family circumstances and, in some cases, information regarding the person’s interaction with the municipality regarding benefits and even whether people are members of the Danish state church or not.

Indecent exposure
Now the municipality has put its foot in it again – by exposing the victims on Facebook, reports Politiken.

The municipality has been carrying out a dialogue with some of the affected citizens on the social media platform – an open platform not exactly renowned for its high levels of security.

Blackmail risk
“There are a lot of frustrated and anxious people out there who have an understandable need to air their views and talk to other people in the same boat, but they are acting somewhat in the dark and exposing themselves publicly,” said Peter Kruse, the founder of IT security company CSIS.

He went on to point out that these people were making themselves extra vulnerable because anyone could now see they had been hit by the leaks. Even if a cybercriminal doesn’t have access to the leaked data, they can still gain valuable information on the victims that can be used to blackmail them.

Putting a brave Facebook on it
In a written answer to Politiken, municipal director Bo Rasmussen justified the use of Facebook by saying “we want to be an open municipality that meets citizens where they are – also on Facebook – and we will continue to do so.”

He did add, though, that “we are of course aware that we can only confine ourselves to general facts and knowledge already out in the open. We never discuss sensitive personal information on Facebook. In such cases, we always refer people to the Borgerservice platform.”