Digitaliseringsstyrelsen (Agency for Digital Government) – Violation Found (Denmark, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Danish Digitaliseringsstyrelsen faced scrutiny after users could access other people's bank accounts through a digital identity solution called MitID. This incident raises concerns about data security and the importance of proper authentication measures.
What happened
Users logging into their online bank via MitID were able to access other citizens' accounts due to a security flaw.
Who was affected
Danish citizens who used the MitID solution to access their online banking services.
What the authority found
The Danish data protection authority found that the Digitalisation Agency failed to enforce necessary security measures, leading to the data breach.
Why this matters
This situation highlights the critical need for robust security protocols in digital identity solutions. Companies using such systems should ensure they implement strong validation measures to protect user data.
GDPR Articles Cited
Several Danish citizens had discovered that by logging into their online bank via [https://en.digst.dk/systems/mitid/ MitID] - a digital identity solution - they gained access to other citizens' accounts. Three different banks that were using the MitID solution within their online banking services each reported a data security breach to the Danish DPA. Following the reports from the banks, the Danish DPA initiated an investigation on the matter. The MitID solution is owned in a joint partnership between the financial sector and the public sector, specifically the Digitalisation Agency. The Digitalisation Agency is the data controller for the processing of personal data in MitID. When the 'MitID' solution is used and it has verified that the user who wants to log in to a service is who they claim to be, an authentication response is generated which is then sent to a broker (the company that conveys the authentication response - in this case the Signaturgruppen, the data controller for the broker solution). The broker forwards the information to the service provider whose service the user wishes to access (which in this case were the banks in question). According to the Digitalisation Agency, the error was found to be due to the fact that login requests to the same online bank within milliseconds could in special cause MitID to issue a token for another session. This error could have been avoided if the broker (Signaturgruppen) had validated the citizens' login with a technology called ”Broker Security Context”. The Digitalisation Agency had recommended to the brokers implementing the solution to perform the Broker Security Context, but had not made it a requirement. Signaturgruppen were recommended by the The Digital Agency to perform validation of the tokens that are generated in connection to the log in requests which the brokers receive from MitID. Nevertheless, Signaturgruppen had used the Broker Security Context in a different way than what was described in
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Digitaliseringsstyrelsen (Agency for Digital Government) in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Digitaliseringsstyrelsen (Agency for Digital Government) - Denmark (2023). Retrieved from cookiefines.eu
Last updated: