Data Leak – Gyldendal Uddannelser

~750,000 individuals (students and teachers) were affected by a data leak via a legacy API at Gyldendal Uddannelser. An unknown IP address made ~73,000 queries accessing personal data through an API that had existed for ~10 years.

On 15 May 2022, the company received an anonymous email warning of the vulnerability and threatening to report it to Datatilsynet. The API was shut down on 16 May 2022. GDPR enforcement and substantial fines were anticipated.

Eagle Shark

• Gyldendal Uddannelse — Official statement
• TV2 — Skoler og institutioner ramt af stort datalæk
• Version2 — Åben datadør hos Gyldendal
• Version2 — Gyldendal indstillet til GDPR-millionbøde