Danske Bank has confirmed that it accidentally exposed the addresses of roughly 20,600 customers to third parties last year.
The bank said it became aware of the problem in October, and later checks found that a significant number of clients had been affected.
The data was only visible if recipients opened detailed payment information, and other payment types were not affected, it said, attributing the breach to “human error during a planned system update.”
In February, it removed the protected address details from transaction information held in its own systems.
The Danish lender also contacted other banks and asked them to remove the same information where feasible.
However, it also highlighted that it “has not been possible to delete the address information from documents that the banks in question have sent during the period”.
After discovering the matter, the bank said it carried out a number of reconciliation reviews and added controls.
It also said it had introduced regular checks, together with organisational and technical steps, to lower the risk of similar cases happening again.
Meanwhile, in December 2025 , Danske Bank said in that its three-year corporate probation with the US Department of Justice had ended.
The bank said this closed the process tied to the case involving the non-resident portfolio at its former Estonia branch.
In December 2022, Danske Bank reached final co-ordinated settlements with the US Department of Justice, the US Securities and Exchange Commission and Denmark’s Special Crime Unit after investigations into failings and misconduct linked to the non-resident portfolio at the bank’s former Estonia branch.
