The Swedish Authority for Privateness Safety (IMY) has fined insurer Trygg-Hansa $3 million for exposing on its on-line portal delicate information belonging to a whole bunch of hundreds of consumers.
Trygg-Hansa is an insurer for people, non-public firms, and public organizations, and in addition an asset administration and funding session agency.
IMY initiated an investigation on the agency after receiving a tip from a Moderna Försäkringar (now a part of Trygg-Hansa) buyer, who had found it was doable to entry the insurer’s backend by following hyperlinks accessible on citation pages despatched to purchasers.
These are despatched to all present or potential clients by way of SMS or electronic mail, containing a singular internet deal with (URL) to a quote web page on Trygg-Hansa’s web site.
IMY confirmed that the backend database was accessible with out requiring authentication, and so they may browse non-public paperwork from different people by modifying within the URL the consumer ID quantity, which was sequential.
About 650,000 clients have been impacted. The data uncovered included:
- Private information
- Well being data
- Situation particulars
- Monetary data
- Contact particulars
- Social safety quantity
- Insurance coverage particulars
To make issues worse, IMY decided that the info was uncovered by means of Trygg-Hansa’s portal to unauthorized events for greater than two years, between October 2018 and February 2021.
Such an intensive publicity interval will increase the chance of somebody discovering the flaw and exploiting it to gather delicate data.
The sort of information can then be offered to cybercriminals and used for scamming, phishing, and even extorting the uncovered people.
IMY has been in a position to affirm a minimum of 202 instances of consumers who had their private data uncovered to unauthorized customers, however this can be tip of the iceberg.
The insurer’s failure to treatment the problems all this time, even after it obtained reviews concerning the flaw, in keeping with IMY, signifies a extreme shortfall in information safety and threat mitigation measures for which the regulator determined to impose an administrative penalty of $3M.
The total IMY determination on the Trygg-Hansa case is accessible right here.
