Altinn is a web service run by the Norwegian government, on which citizens can find, fill out and deliver forms electronically. Every year Norwegian citizens can also log in to check their tax results. Since the birth of Altinn, the public has complained that the service is too slow, and every year the server has crashed due to high traffic from people wanting to check their taxes.
2012 has proven to be no different. The tax results were published at around 6:00 AM local time on Tuesday the 20th. By 9:00 AM over 200,000 people had tried to log on, and as a result the server crashed.
This was the status until noon, where traffic evened out and the server was stable again. Logging in is fairly simple: you type in your social security number and a personal password, and you receive a pin-code that you need to type in. At 6:17 PM local time, every single user who tried to log in went right past the login screen, and found themselves logged in as Kenneth, a 36 year old man from Oslo.
Users then had access to all financial data of this unfortunate person over two years back in time, in addition to the financial information of his wife and the company he worked for. Altinn shut down some 15 minutes later, and has been down since.
It is not known how many people got access to this information, or if any data were copied or downloaded. According to Jørgen Ferkinstad, communications director for Altinn, Kenneth had logged in and his information got stored in the server’s cache memory.
It is unknown how long Altinn will be down, and what is being done to prevent this from happening again. Kenneth had at 8:00 PM contacted his lawyer, and refused to give any statement. Brønnøysundregisteret, the company responsible for the web portal, were assembled for a crisis meeting at 11:00 PM. To make matters worse, DNV, a Norwegian company responsible for quality assessment and certification, published a report in the beginning of 2012, stating:
“Altinn is a rushed solution, testing has been lackluster at best, the service has very few options for future upgrades and the overall quality is considered to be below average. Furthermore, we question the competence and preparation of the publisher to manage such a complex system as Altinn.”
According to this report, there were no plans for backup, and the service was not built to handle the scale of the requests seen on Tuesday morning.