The Swedish Professional Protecting Department (IMY) has issued a fine of $3 million (290 million rubles) to the Trygg-Hansa insurance company. The fine was imposed due to the company’s failure to protect sensitive personal data of hundreds of thousands of customers, which was leaked through their online portal.
Trygg-Hansa is a provider of insurance services for individuals, private companies, state organizations, and also offers asset management and investment consulting.
The investigation by IMY was initiated following a complaint from one of Trygg-Hansa’s customers. The customer discovered that by accessing the URL provided in postal or SMS links containing insurance proposals, they were able to gain unauthorized access to the company’s entire internal database.
The management of Trygg-Hansa confirmed that the database was accessible without any authentication. This meant that by simply changing the client identifier in the URL, individuals could view confidential documents belonging to other people.
As a result of this security breach, approximately 650,000 customers were potentially affected. The leaked data includes personal information, details of insured events, information about the state of health, and financial information.