Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
The confidential information of 650 thousand people has been lying right in plain sight for a long time.
The Swedish Privacy Protection Authority (IMY) has fined insurance company Trygg-Hansa $ 3 million (290 million rubles) for leaking sensitive personal data of hundreds of thousands of customers through the company's online portal.
Trygg-Hansa provides insurance services for individuals, private companies and government organizations, as well as asset management and investment consulting.
The IMY investigation was initiated after a complaint from one of Trygg-Hansa's clients, who discovered that the entire company's internal database could suddenly be accessed via URLs in mail or SMS newsletters with insurance offers.
Management confirmed that access to the database was opened without authentication and it was possible to view confidential documents of other persons, just by changing the client ID in the link.
In total, the data of about 650 thousand customers, including their employees, was potentially leaked:
Even worse, according to IMY, unauthorized access to this information was open for more than two years, so anyone who was as attentive as the company's client who contacted IMY could get free access to all this data.
IMY has confirmed at least 202 cases of unauthorized access to customers ' personal data, but the actual number may be significantly higher.
According to the regulator, the insurer had to detect and eliminate the vulnerability at the stage of implementation of this system, as well as during the entire long period of its operation. Failure to do so indicates serious data security flaws, for which IMY was fined three million dollars.
The Swedish Privacy Protection Authority (IMY) has fined insurance company Trygg-Hansa $ 3 million (290 million rubles) for leaking sensitive personal data of hundreds of thousands of customers through the company's online portal.
Trygg-Hansa provides insurance services for individuals, private companies and government organizations, as well as asset management and investment consulting.
The IMY investigation was initiated after a complaint from one of Trygg-Hansa's clients, who discovered that the entire company's internal database could suddenly be accessed via URLs in mail or SMS newsletters with insurance offers.
Management confirmed that access to the database was opened without authentication and it was possible to view confidential documents of other persons, just by changing the client ID in the link.
In total, the data of about 650 thousand customers, including their employees, was potentially leaked:
- personal data;
- health information;
- details of insurance claims;
- financial information;
- contact details;
- social security number;
- insurance data.
Even worse, according to IMY, unauthorized access to this information was open for more than two years, so anyone who was as attentive as the company's client who contacted IMY could get free access to all this data.
IMY has confirmed at least 202 cases of unauthorized access to customers ' personal data, but the actual number may be significantly higher.
According to the regulator, the insurer had to detect and eliminate the vulnerability at the stage of implementation of this system, as well as during the entire long period of its operation. Failure to do so indicates serious data security flaws, for which IMY was fined three million dollars.
