Big demand for Altinn
When the tax return for wage earners was ready in March 2012, many people were met with a message warning of queues. The pages were not down. Several thousand wage earners were logged on to the solution at the same time, while others were asked to try again later.
The media saw this as a good story, and the same evening they reported another incident relating to Altinn. Several people logged on to their profiles, but were directed to the profile of a man from Oslo instead. They were able to read the names and personal identity numbers of two people. This resulted in the Altinn platform being shut down, and it was not reopened until two and a half days later.
'This case, which has been called the Kenneth affair, is a security breach with limited consequences. The surrounding security procedures worked as intended, and in our opinion, it was sensible to notify us at the Norwegian Data Protection Authority and close the platform pending clarification,' says Helge Veum, Director of the Audit and Security Department at the Norwegian Data Protection Authority.
An analysis showed that no one was logged on as the Oslo man. It was an error in a data component that led to the front page of the message box appearing.
Following the incident, Altinn implemented measures to prevent queues and the recurrence of anything similar in future. Among other things, new and more powerful servers were put in place, and regular tests were carried out of the security of the solution. And in December, end-to-end encryption was launched for forms and services containing sensitive information.
Media interest: Here is an example of what the media reported after the incident on 20 March 2012. It is taken from the website of the weekly Teknisk Ukeblad.