Danske Bank has disclosed news of an historical data incident that exposed protected address information in domestic payment transaction details for 20,600 customers in Denmark.

The bank said the issue occurred over a three-month period in 2025 and affected domestic transfers only. Other payment types, including card payments, invoice payments and MobilePay transactions were unaffected.

Danske Bank said it identified the problem in October 2025 and deployed a fix immediately before launching an internal investigation. The bank traced the incident to human error during a planned system update, which it said prevented existing controls from detecting the problem at the time. The issue occurred despite Danske deploying multilayered technical and organisational controls, it said.

Following initial confirmation of three customers affected by the issue, Danske conducted further investigations to establish the full scope of the issue which confirmed that a larger group of customers had been affected.

The bank shared its findings with the Danish Data Protection Agency and remains in contact them about the issue. Danske Bank added that it has also alerted The Danish Financial Supervisory Authority.

Affected customers made an average of five transactions over the three-month period. The affected payments include those made to private, business and public sector recipients.

Danske Bank said that access to the protected address information required the recipient to actively open the relevant payment details.

Danske said it has since removed the protected address information from transaction details within its own systems. This deletion was implemented by February 2026 and ensures that protected addresses are no longer visible in payment transactions between Danske Bank customers.

The company has also contacted other financial institutions to whom customers have made transactions to request that protected address information be removed from their systems where possible.

Since identifying the issue, Danske said it has undertaken several reconciliation exercises and implemented controls to ensure its processes are operating correctly. Additionally, it has further integrated regular controls, alongside organisational and technical measures, to further reduce the risk of similar incidents occurring in the future.

“Customer trust and security are of the utmost importance to Danske Bank,” the company said in a statement. “We take the matter very seriously and sincerely apologise for this situation and the impact it may have on our customers.

“We understand that this situation may cause concern and have provided each affected customer with information about the issue and their rights and remain fully available in case of questions or concerns.”

In late May, UK banking group Lloyds exposed almost half a million customers’ data to other users of its payment apps, leading to a payout of at least £139,000.

---