During a period of three months in 2025, Danske Bank experienced an issue causing protected addresses to be visible to recipients of domestic payment transactions as part of the payment details in Denmark. Other payment types, such as MobilePay payments, card payments and invoice payments, were not affected by the issue.

The issue occurred despite multilayered technical and organisational controls being in place. When the issue was identified in October 2025, a correction was deployed immediately, and we initiated an investigation to determine the scope and root cause of the issue.

The issue arose from a human error during a planned system update, which affected the system in question and subsequently meant that existing controls did not detect the error at the time.

Following initial confirmation of three customers affected by the issue, we conducted further investigations to establish the full scope of the issue. This work confirmed that a larger group of customers had been affected, and the findings were subsequently shared with the Danish Data Protection Agency, with which we remain in close dialogue. We have also informed The Danish Financial Supervisory Authority of the issue.

Our further investigations show that some 20,600 customers with protected addresses have been affected and that the customers have on average made approximately five payment transactions in the period, to either private and/or business/public sector recipients. However, access to the protected address information required the recipient to actively open the relevant payment details.

We have removed the protected address information from transaction details within our own systems. This deletion was implemented by February 2026 and ensures that protected addresses are no longer visible in payment transactions between Danske Bank customers.

We have also contacted other financial institutions to whom customers have made transactions, to request that protected address information be removed from their systems where possible. This work is completed for the vast majority of transactions, and confirmations are being collected as part of our handling of the issue. However, it has not been possible to delete the address information from documents that the banks in question have sent during the period. This is the case, for example, with account statements sent to recipients of transfers via digital or physical mail.

Since identifying the issue, we have performed several reconciliation exercises and implemented controls to ensure our processes are operating correctly and further integrated regular controls, alongside organisational and technical measures to further reduce the risk of similar incidents occurring in the future.

Customer trust and security are of the utmost importance to Danske Bank. We take the matter very seriously and sincerely apologise for this situation and the impact it may have on our customers. We understand that this situation may cause concern and have provided each affected customer with information about the issue and their rights and remain fully available in case of questions or concerns.