The Swedish Authority for Privateness Safety (IMY) has fined insurer Trygg-Hansa $3 million for exposing on its on-line portal delicate knowledge belonging to lots of of hundreds of consumers.
Trygg-Hansa is an insurer for people, non-public firms, and public organizations, and likewise an asset administration and funding session agency.
IMY initiated an investigation on the agency after receiving a tip from a Moderna Försäkringar (now a part of Trygg-Hansa) buyer, who had found it was attainable to entry the insurer’s backend by following hyperlinks out there on citation pages despatched to shoppers.
These are despatched to all present or potential clients through SMS or e-mail, containing a novel internet deal with (URL) to a quote web page on Trygg-Hansa’s web site.
IMY confirmed that the backend database was accessible with out requiring authentication, they usually may browse non-public paperwork from different people by modifying within the URL the consumer ID quantity, which was sequential.
About 650,000 clients have been impacted. The data uncovered included:
- Private knowledge
- Well being data
- Situation particulars
- Monetary data
- Contact particulars
- Social security quantity
- Insurance coverage particulars
To make issues worse, IMY decided that the info was uncovered by way of Trygg-Hansa’s portal to unauthorized events for greater than two years, between October 2018 and February 2021.
Such an in depth publicity interval will increase the probability of somebody discovering the flaw and exploiting it to gather delicate data.
This kind of knowledge can then be offered to cybercriminals and used for scamming, phishing, and even extorting the uncovered people.
IMY has been in a position to affirm at the least 202 circumstances of consumers who had their private data uncovered to unauthorized customers, however this can be tip of the iceberg.
The insurer’s failure to treatment the problems all this time, even after it obtained studies concerning the flaw, based on IMY, signifies a extreme shortfall in knowledge security and threat mitigation measures for which the regulator determined to impose an administrative penalty of $3M.
The total IMY choice on the Trygg-Hansa case is out there right here.
