Telenor subcontractor Identitrade AB had access to the information held by Skatteverket when customers logged into their Skatteverket account via Telenor's site using an “e-legitimation” digital ID.
Info the company had access to included where users live and how much they earn. Skatteverket's head of security told newspaper Dagens Nyheter (DN) that using the process to access personal data is not permitted.
“It's an unchecked secondary login. You as a citizen give a private actor access to information about you,” Pär Rylander from Skatteverket explained to DN.
READ ALSO: Swedish government in IT security slip-up
Skatteverket blocked the secondary log-in process once they found out about the error, and estimate around 140,000 people were affected – more than Telenor's 120,000 estimation.
“The investigation is ongoing but that could be a sign that more companies than Telenor used the service,” Rylander explained.
Telenor say that they use the secondary log-in system to verify customers in their online payment system, but erroneously took in more information than necessary.
Telenor has also reported the mistake to the Data Protection Authority, and insist that the personal data has not been spread to any other parties.