HQ/EMEAFind out how we can help your business
Insurance company Trygg-Hansa faces fines reaching about $3 million after exposing thousands of customer data on its online portal. The Swedish Authority for Privacy Protection executed the sanction.
The company that faces the penalty is an insurer for private firms, public organisations, and individuals. Moreover, it offers asset management and investment consultation services.
The Sweden-based agency started an investigation after a customer tipped them about the possible compromise within Trygg-Hansa.
The Swedish Authority of Privacy Protection investigated Trygg-Hansa after one of its customers claimed that accessing the insurance company’s backend is possible by following links on quotation pages sent to clients.
The fined company sends these links to all existing or potential customers through email or SMS. The messages contain a unique web address to a quote page on Trygg-Hansa’s site.
The Swedish authority confirmed that the backend database of Trygg-Hansa was accessible without requesting authentication. The investigators also observed that they could scan private documents from other individuals by modifying the URL and the client ID number.
In addition, the flaw affected approximately 650,000 customers, and the confirmed exposed information includes personal data, health information, condition details, financial info, contact details, Social Security numbers, and insurance details.
Investigations determined that the conflict exposed the data in Trygg-Hansa’s portal to unauthorised individuals for over two years, from 2018 to 2021.
Researchers claimed that extensive data exposure increases the chances of some actors uncovering the flaw and harvesting information. Hence, the exposed data on Trygg-Hansa could have landed in the hands of cybercriminals, which they can use for other malicious operations, such as scams, phishing, or extortions.
Authorities explained that the insurer could have dealt with the problem long before exposure. However, there is a high chance that multiple threat actors or groups could have grabbed the data discreetly since it remained unnoticed for more than a couple of years.
Therefore, the Swedish Authority for Privacy Protection imposed an admin penalty of $3 million on Trygg-Hansa. Experts urge the clients of this insurer to be vigilant with unwanted communications since threat actors could have acquired troves of data from the recent blunder of the affected insurance company.
