Data Breach Education / Government / Arts · Norway · March 2026

Den kulturelle skolesekken (DKS)

Analysis of the Den kulturelle skolesekken (DKS) data breach in Norway exposing approximately 1.3 million records from the national cultural education programme.

Records Affected

Approximately 1.3 million records (claimed)

Attack Type

Data Breach

Location

Norway

Data types exposed

Names email addresses phone numbers physical addresses nationalities languages spoken internal communications performer and tour application details

What Happened

Den kulturelle skolesekken (DKS), or "The Cultural Schoolbag," is a Norwegian national programme that provides students across primary and secondary schools with access to professional arts and cultural experiences. It is managed by the government agency Kulturtanken.
According to reporting by Daily Dark Web and Cybersecurity News Everyday, a threat actor posted data allegedly exfiltrated from the DKS portal on a well-known cybercrime forum (BreachForums) on or around March 1, 2026. The actor, identified by the handle "Spirigatito," claimed the dataset contains approximately 1,389,534 rows of data.
The alleged breach includes names, email addresses, phone numbers, physical addresses, nationalities, languages spoken, internal communications (including message subjects and content), and performer and tour application details.
DKS acknowledged the incident in a public notice on March 3, 2026, stating that their technology vendor Netpower had informed them of indicators of a possible data leak from the DKS portal. DKS noted in their statement that, based on preliminary findings, the incident appears to be related to the platform's internal search functionality. They stated that there are currently no indications that passwords, login credentials, or national identity numbers were exposed, but they could not rule out that contact details such as names, email addresses, and phone numbers may have been compromised.

Timeline

  • March 1, 2026 — Threat actor 'Spirigatito' posts data on BreachForums claiming 1,389,534 rows
  • March 3, 2026 — DKS publishes official notice acknowledging the incident
  • March 2026 — Vendor Netpower investigating root cause related to platform search functionality

Impact and Risk Assessment

For Individuals

Contact details of cultural workers, performers, educators, and potentially students' parents may have been exposed.
Internal communications including message subjects and content may reveal sensitive discussions about programme operations.

For Organisations

The government agency Kulturtanken and its vendor Netpower face scrutiny over the security of a platform handling citizen data.
Cultural organisations and performers who participated in DKS programmes may need to manage increased phishing risk.

Regulatory Context

Norway's Personal Data Act (Personopplysningsloven), which implements GDPR, applies. The Norwegian Data Protection Authority (Datatilsynet) may investigate.
As a government-managed programme handling data on minors and educators, additional scrutiny may apply.

What Should You Do?

For Individuals

  • If you have participated in DKS programmes as a performer, educator, or organiser, be alert to phishing attempts using your personal details.
  • Review the DKS official notice for updates on the investigation and any actions you should take.

For Security Professionals

  • Public sector platforms serving education should review search and API endpoints for bulk extraction vulnerabilities.
  • Vendor risk management in the public sector should include security requirements in procurement contracts and ongoing oversight of platforms processing citizen data.

Learnings and Recommendations

Public sector platforms, especially those serving education and cultural programmes, are often built with functionality and accessibility in mind rather than security hardening. They tend to accumulate large volumes of personal data over years without necessarily applying the same security rigour expected in financial services or healthcare.
This incident also highlights vendor risk in the public sector. DKS attributed the issue to its technology vendor Netpower, which underscores the importance of security requirements in procurement contracts and ongoing oversight of third-party platforms that process citizen data.
For organisations operating similar platforms, particularly those holding data on minors, educators, and cultural workers, it is worth reviewing what data is stored, whether it is all still necessary (data minimisation), and whether search and API endpoints are properly secured against enumeration or bulk extraction.

References

[1] Den kulturelle skolesekken - Official notice (Norwegian) — https://www.denkulturelleskolesekken.no/2026/03/03/mulig-datalekkasje-fra-dks-portalen/
[2] Daily Dark Web - DKS Data Breach Exposes 1.3M Records — https://dailydarkweb.net/den-kulturelle-skolesekken-data-breach-exposes-1-3m-records/
[3] Darknetsearch.com - Norway Database Breach — https://darknetsearch.com/knowledge/news/en/norway-database-breach-1-3m-records-allegedly-exposed/

Source

https://www.denkulturelleskolesekken.no/2026/03/03/mulig-datalekkasje-fra-dks-portalen/ ↗
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories