The Swedish Authority for Privateness Safety (IMY) has fined insurer Trygg-Hansa $3 million for exposing on its on-line portal delicate information belonging to a whole lot of 1000’s of shoppers.
Trygg-Hansa is an insurer for people, non-public corporations, and public organizations, and in addition an asset administration and funding session agency.
IMY initiated an investigation on the agency after receiving a tip from a Moderna Försäkringar (now a part of Trygg-Hansa) buyer, who had found it was attainable to entry the insurer’s backend by following hyperlinks out there on citation pages despatched to purchasers.
These are despatched to all current or potential prospects through SMS or electronic mail, containing a novel net tackle (URL) to a quote web page on Trygg-Hansa’s web site.
IMY confirmed that the backend database was accessible with out requiring authentication, and so they may browse non-public paperwork from different people by modifying within the URL the consumer ID quantity, which was sequential.
About 650,000 prospects have been impacted. The data uncovered included:
- Private information
- Well being info
- Situation particulars
- Monetary info
- Contact particulars
- Social safety quantity
- Insurance coverage particulars
To make issues worse, IMY decided that the info was uncovered by Trygg-Hansa’s portal to unauthorized events for greater than two years, between October 2018 and February 2021.
Such an intensive publicity interval will increase the probability of somebody discovering the flaw and exploiting it to gather delicate info.
Such a information can then be offered to cybercriminals and used for scamming, phishing, and even extorting the uncovered people.
IMY has been in a position to verify not less than 202 circumstances of shoppers who had their private info uncovered to unauthorized customers, however this can be tip of the iceberg.
The insurer’s failure to treatment the problems all this time, even after it acquired stories concerning the flaw, in keeping with IMY, signifies a extreme shortfall in information safety and threat mitigation measures for which the regulator determined to impose an administrative penalty of $3M.
The complete IMY determination on the Trygg-Hansa case is out there right here.