Swedish insurance company Trygg-Hansa was fined for disclosing personal data of its customers for more than two years. They could be found on the operator’s online portal in the section with price offers, BleepingCopmputer writes.
The Swedish privacy authority (IMY) has fined Trygg-Hansa Insurance Company $3 million for publishing confidential data belonging to hundreds of thousands of its customers on its online portal.
IMY launched an investigation after a report from one of them, namely Moderna Försäkringar. Its experts found that confidential data could be accessed by clicking on one of the links on the pages with price offers.
IMY confirmed that the server database was accessible without authentication, and in fact, anyone could view the private information of others. It is about personal data of about 650 thousand people. Trygg-Hansa customers.
Price offers were periodically sent to existing or potential customers via SMS or e-mail. All of them contained a link to enter the database.
Thus, the personal and financial data of insurance service users, their contacts, health information, social security numbers, service conditions, etc. were disclosed.
The investigation revealed that this vulnerability had existed on the Trygg-Hansa portal for more than two years. IMY has confirmed at least 202 cases where customer information was viewed by unauthorized persons, i.e., not employees or owners of personal accounts. This data could be used for phishing, blackmail, etc.
According to speculation, Trygg-Hansa was aware of the problem and the likelihood of a leak, but was in no hurry to fix it. Due to security breaches and lack of risk mitigation measures, the regulator decided to impose an administrative fine of $3 million on the insurer.
