Image: Colin Sabatier (unsplash)
The Swedish Authority for Privacy Protection (IMY) imposed a penalty of $3 million on insurer Trygg-Hansa for unintentionally revealing sensitive data of numerous clients on its online platform.
As a notable firm offering insurance to individuals, private enterprises, and public entities, Trygg-Hansa also stands as a prominent player in asset management and investment consultation.
The investigation by IMY into Trygg-Hansa began following an alert from a customer formerly associated with Moderna Försäkringar, which is now a division of Trygg-Hansa. This client highlighted the potential vulnerability in accessing the insurer’s digital infrastructure via links presented on quote pages directed towards clientele.
Typically, these quotes are dispatched to current or prospective clients through SMS or email. These communications carry a distinctive web link directing them to a quotation page on the insurer’s official website.
The IMY inspection unearthed that this backend database lacked proper security measures, allowing unauthorized access. Moreover, unauthorized individuals could navigate through confidential documents by simply altering the client ID number in the provided URL, given its sequential nature.
The data breach affected approximately 650,000 clients, compromising information such as personal and health details, financial records, contact information, social security numbers, and specific insurance-related data.
Further compounding the issue, IMY ascertained that this confidential data remained accessible to unauthorized entities on Trygg-Hansa’s platform for an extensive period spanning from October 2018 to February 2021. The prolonged duration of exposure heightened the probability of someone identifying and capitalizing on this vulnerability to gather classified information.
The potential misuse of such data encompasses its sale to criminal entities who could utilize it for deceitful activities, misrepresenting identities, or even pressuring the affected parties.
IMY managed to verify around 202 cases where customers faced exposure of their confidential information to unsanctioned users. However, the actual number could be significantly higher.
IMY stressed the fundamental nature of these lapses, emphasizing that Trygg-Hansa should have identified and addressed them before the implementation of their current IT system, or at least during its prolonged usage. The insurer’s prolonged neglect to address these issues, particularly after being informed about them, showcased significant deficiencies in their data protection and risk prevention strategies. Consequently, IMY deemed it necessary to levy an administrative fine of $3M.
The comprehensive decision by IMY concerning the Trygg-Hansa situation is accessible for public review.