Norkart data leak | Data Inspectorate

Briefly about the case

According to a report from Norkart, personal information such as name, address and birth number applies to nearly 3.3 million people (current and former owners of the property in Norway). According to Norkart, this should not include people who live at a secret address.

Birth number itself is not sensitive information. However, when comparing birth numbers with address information, there may be a risk of misuse, such as identity theft. So we take this very seriously, says Jan Stang Dahl, acting director.

The case is handled by the Norwegian Data Protection Authority, and we have contact with Norkart and the Norwegian Mapping Authority. The police are also investigating the case.

What are you doing?

We recommend that everyone involved be aware if abnormal movements are detected, for example in connection with insurance, banks or credit cards. Also keep an eye out for credit checks that you are not aware of or that you are receiving abnormal emails.

Read more about what you can do if you discover something abnormal or suspect that you are a victim of identity theft.

See the press release at
Norkart also asked some questions and answers about the case


At the moment, there are many who would like to put an end to the credit rating companies. Hence, these companies are witnessing a huge increase and some of them have faced challenges with hard to reach.

Entering a credit block Can A precautionary measure, but you will then have to raise the block again as necessary to complete the purchase. So the most important thing is to be aware and keep track of unknown account movements. If you encounter something suspicious, you should check it out further. Then, for example, placing a credit block would be a good metric.

Read more about how to prevent identity theft and what to do if you suspect such fraud at

industry tips

In this context, we encourage players involved in various forms of commerce not only to accept the SSN as an identifier, but also to request another form of identification to avoid abuse.

Furthermore, we will encourage suppliers and companies to use strong authentication associated with their services. The general recommendation is to use two-factor authentication. There are many companies that actually only use one-factor solutions, but seem to be two-factor. For example, using a Social Security number with a code in an SMS should not be considered a two-factor solution. If you as a supplier or business use a Social Security number as part of logging in, we recommend an evaluation of the authentication method to increase your security.

Read more about strong authentication

The new credit information law will replace the current licensing system

The new Credit Information Act and Regulations will enter into force on July 1, 2022. The Credit Information Act will replace the current licensing system. In its round of consultations for the new law, the Data Inspection Panel made it clear how important it is to create a joint ban registry.

When the licensing obligation of credit information law is replaced by regulations, the data inspection body will not be able to maintain an overview of companies engaged in credit information activities. Without a common block history, it would be difficult for people to know where to go to set up a credit ban. The responsibility for the new credit information law rests with the Ministry of Family and Child Affairs.

Read a draft of a new law on the processing of information in credit information activities (

Read our response to the consultation (

Leave a Comment

Your email address will not be published. Required fields are marked *