HomeData BreachInsurer fined $3M for exposing knowledge of 650k shoppers for 2 years

Insurer fined $3M for exposing knowledge of 650k shoppers for 2 years

The Swedish Authority for Privateness Safety (IMY) has fined insurer Trygg-Hansa $3 million for exposing on its on-line portal delicate knowledge belonging to lots of of hundreds of consumers.

Trygg-Hansa is an insurer for people, non-public firms, and public organizations, and likewise an asset administration and funding session agency.

IMY initiated an investigation on the agency after receiving a tip from a Moderna Försäkringar (now a part of Trygg-Hansa) buyer, who had found it was attainable to entry the insurer’s backend by following hyperlinks out there on citation pages despatched to shoppers.

These are despatched to all present or potential clients through SMS or e-mail, containing a novel internet deal with (URL) to a quote web page on Trygg-Hansa’s web site.

IMY confirmed that the backend database was accessible with out requiring authentication, they usually may browse non-public paperwork from different people by modifying within the URL the consumer ID quantity, which was sequential.

About 650,000 clients have been impacted. The data uncovered included:

  • Private knowledge
  • Well being data
  • Situation particulars
  • Monetary data
  • Contact particulars
  • Social security quantity
  • Insurance coverage particulars
See also  CrushFTP Zero-Day Flaw Exploited in Focused Attacks

To make issues worse, IMY decided that the info was uncovered by way of Trygg-Hansa’s portal to unauthorized events for greater than two years, between October 2018 and February 2021.

Such an in depth publicity interval will increase the probability of somebody discovering the flaw and exploiting it to gather delicate data.

This kind of knowledge can then be offered to cybercriminals and used for scamming, phishing, and even extorting the uncovered people.

IMY has been in a position to affirm at the least 202 circumstances of consumers who had their private data uncovered to unauthorized customers, however this can be tip of the iceberg.

“The deficiencies have been of such elementary nature that Trygg-Hansa ought to have been in a position to detect and treatment these earlier than the present IT system was launched and in any case, throughout the lengthy interval the system was used.” – IMY

The insurer’s failure to treatment the problems all this time, even after it obtained studies concerning the flaw, based on IMY, signifies a extreme shortfall in knowledge security and threat mitigation measures for which the regulator determined to impose an administrative penalty of $3M.

See also  Membership Penguin followers breached Disney Confluence server, stole 2.5GB of knowledge

The total IMY choice on the Trygg-Hansa case is out there right here.

- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular