The Swedish Authority for Privacy Protection (IMY) has fined insurer Trygg-Hansa $3 million for exposing on its online portal sensitive data belonging to hundreds of thousands of customers.
Trygg-Hansa is an insurer for individuals, private companies, and public organizations, and also an asset management and investment consultation firm.
IMY initiated an investigation on the firm after receiving a tip from a Moderna Försäkringar (now part of Trygg-Hansa) customer, who had discovered it was possible to access the insurer’s backend by following links available on quotation pages sent to clients.
These are sent to all existing or potential customers via SMS or email, containing a unique web address (URL) to a quote page on Trygg-Hansa’s website.
IMY confirmed that the backend database was accessible without requiring authentication, and they could browse private documents from other individuals by modifying in the URL the client ID number, which was sequential.
About 650,000 customers have been impacted. The information exposed included:
- Personal data
- Health information
- Condition details
- Financial information
- Contact details
- Social security number
- Insurance details
To make matters worse, IMY determined that the data was exposed through Trygg-Hansa’s portal to unauthorized parties for more than two years, between October 2018 and February 2021.
Such an extensive exposure period increases the likelihood of someone finding the flaw and exploiting it to collect sensitive information.
This type of data can then be sold to cybercriminals and used for scamming, phishing, or even extorting the exposed individuals.
IMY has been able to confirm at least 202 cases of customers who had their personal information exposed to unauthorized users, but this may be tip of the iceberg.
The insurer’s failure to remedy the issues all this time, even after it received reports about the flaw, according to IMY, indicates a severe shortfall in data security and risk mitigation measures for which the regulator decided to impose an administrative penalty of $3M.
The full IMY decision on the Trygg-Hansa case is available here.