Danish vehicle registry data breach leaves 73,000 at risk for years

Danish authorities have yet to explain how a major data breach in the national vehicle registry exposed the personal details of up to 73,000 people—including those with protected status—for nearly five years, DR Nyheder reports.

The Danish Motor Agency (Motorstyrelsen) confirmed two weeks ago that private companies had improper access to names and addresses in the Motor Registry from 2021 until 15 July 2025, despite affected individuals having requested name and address protection. The agency has since failed to clarify how the breach occurred, why it went undetected for years, or which companies accessed the data.

When questioned by DR Nyheder, the agency responded only that it is “working on an answer,” with no timeline for a response. The breach allowed searches for personal details using vehicle chassis numbers, licence plates, or vehicle IDs.

Protected individuals demand transparency

Anders Friis, an IT security coordinator whose data was exposed, criticised the lack of transparency. “I don’t understand why they won’t disclose who had access,” he told DR Nyheder. “This is crucial for those of us with protected status to assess the risks we’ve been exposed to.”

Friis, who previously worked in environments involving criminal networks, warned that leaked addresses could endanger victims of domestic violence, honour-based violence, or others at risk. “If the wrong people get this information, it could threaten lives,” he said.

The Motor Agency claimed it notified affected companies on 14 July but admitted it does not know which firms may have exploited the access. A request by Friis for public records on the matter was denied.

Experts question lack of logging

Thomas Hildebrandt, a professor at the University of Copenhagen’s Department of Computer Science, called the failure to log access a “double error.” Under GDPR rules, agencies are expected to track who accesses sensitive data, he noted, adding that the absence of logs makes it impossible to determine the scale of misuse.

“You’d expect a government agency to log this information,” Hildebrandt said. “The rules require measures proportional to the risks—but here, they failed both in granting unauthorised access and in not monitoring it.”

The Motor Agency’s deputy director, Claus Holm, previously stated the agency “deeply regrets” the breach and closed the vulnerability upon discovery. The incident has been reported to the Danish Data Protection Authority, which may investigate further.

Affected individuals can file complaints with the authority over the agency’s handling of their data.