Insurer Fined $3M for Exposing Data of 650k Clients for Two Years

The Swedish Authority for Privacy Protection (IMY) has imposed a fine of $3 million on Trygg-Hansa, an insurer, for the exposure of sensitive data belonging to hundreds of thousands of customers on its online portal.

Trygg-Hansa provides insurance services for individuals, private companies, and public organizations. It also operates as an asset management and investment consultation firm.

The investigation by IMY was initiated after a customer of Moderna Försäkringar (now part of Trygg-Hansa) reported that it was possible to access the insurer’s backend by following links provided on quotation pages sent to clients.

These quotation pages, which contain a unique web address (URL) to a quote page on Trygg-Hansa’s website, are sent to all existing or potential customers via SMS or email.

IMY confirmed that the backend database could be accessed without authentication, allowing them to browse private documents of other individuals by modifying the client ID number in the URL, which was sequential.

Around 650,000 customers have been affected by this incident. The exposed information includes personal data, health information, condition details, financial information, contact details, social security numbers, and insurance details.

To make matters worse, IMY discovered that unauthorized parties had access to the data through Trygg-Hansa’s portal for more than two years, from October 2018 to February 2021.

This prolonged exposure period significantly increases the risk of someone discovering the flaw and exploiting it to gather sensitive information.

Such exposed data can be sold to cybercriminals and used for various malicious activities such as scams, phishing, or even extortion.

IMY has identified at least 202 cases where customers’ personal information was exposed to unauthorized users, but this may only be the tip of the iceberg.

“The deficiencies have been of such fundamental nature that Trygg-Hansa should have been able to detect and remedy these before the current IT system was introduced and in any case, during the long period the system was used.” – IMY

According to IMY, the insurer’s failure to address the issues despite receiving reports about the flaw indicates a severe lack of data security and risk mitigation measures. As a result, IMY has imposed an administrative penalty of $3 million.

You can find the full IMY decision on the Trygg-Hansa case here.

Leave a Reply

Your email address will not be published. Required fields are marked *