Insurer fined $3M for exposing data of 650k clients for two years



Trygg-Hansa is an insurer for individuals, private companies, and public organizations, and also an asset management and investment consultation firm.

IMY initiated an investigation on the firm after receiving a tip from a Moderna Försäkringar (now part of Trygg-Hansa) customer, who had discovered it was possible to access the insurer’s backend by following links available on quotation pages sent to clients.

These are sent to all existing or potential customers via SMS or email, containing a unique web address (URL) to a quote page on Trygg-Hansa’s website.

IMY confirmed that the backend database was accessible without requiring authentication, and they could browse private documents from other individuals by modifying in the URL the client ID number, which was sequential.

About 650,000 customers have been impacted. The information exposed included:

• Personal data
• Health information
• Condition details
• Financial information
• Contact details
• Social security number
• Insurance details

To make matters worse, IMY determined that the data was exposed through Trygg-Hansa’s portal to unauthorized parties for more than two years, between October 2018 and February 2021.

Such an extensive exposure period increases the likelihood of someone finding the flaw and exploiting it to collect sensitive information.

This type of data can then be sold to cybercriminals and used for scamming, phishing, or even extorting the exposed individuals.

IMY has been able to confirm at least 202 cases of customers who had their personal information exposed to unauthorized users, but this may be tip of the iceberg.

“The deficiencies have been of such fundamental nature that Trygg-Hansa should have been able to detect and remedy these before the current IT system was introduced and in any case, during the long period the system was used.” - IMY

The insurer’s failure to remedy the issues all this time, even after it received reports about the flaw, according to IMY, indicates a severe shortfall in data security and risk mitigation measures for which the regulator decided to impose an administrative penalty of $3M.

Source: bleepingcomputer.com