DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Sweden’s Privacy Protection Agency fines insurer Trygg-Hansa for exposing sensitive customer data

Posted on September 17, 2023 by Dissent

The following press release was issued August 30 by Sweden’s Authority for Privacy Protection (IMY):

Trygg-Hansa’s security flaws have meant that information on 650,000 customers has been accessible via the internet. The Privacy Protection Agency (IMY) is now issuing an administrative sanction fee of SEK 35 million against the company.

After receiving a tip, IMY began an inspection of the insurance company Trygg-Hansa. The tipster had received an email from the company with a link to a quote page. On the quote page, there were clickable links with URLs that led to documents with insurance information. However, the tipster noticed that it was possible to access other policyholders’ documents, without any kind of login, by simply replacing a few numbers in the web link.

– The documents that have been accessible to unauthorized persons have in some cases contained sensitive personal data, including information about health that also had a high level of detail, so that it was possible to find out, for example, how a health problem arose or details about a health condition. All in all, the large amount of personal data has made it possible to create a clear picture of a person’s private circumstances, says Evelin Palmér, lawyer at IMY.

Possible to access data for more than two years

IMY’s review has shown that it was possible to access customer data for 650,000 customers during the period October 2018 to February 2021. Among the customer data, in addition to data on health, there are also other data such as financial information, contact details, social security numbers and insurance holdings.

In its decision, IMY states that the deficiencies have been of such a fundamental nature that Trygg-Hansa should have had the opportunity to discover and remedy these even before the relevant IT system was introduced and in any case during the long period that the system was used.

IMY assesses that Trygg-Hansa has not taken appropriate technical measures to ensure a level of security that is appropriate in relation to the risk. The authority therefore issues an administrative sanction fee of SEK 35 million against the company.

Clarification

The security deficiency that IMY has found in the current case was at the insurance company Moderna Försäkringar. IMY clarifies that Moderna Försäkringar has subsequently, in April 2022, merged with Trygg-Hansa and in connection with that changed its name to Trygg-Hansa.

Access the decision against Trygg-Hansa (pdf, 163 kB)

Source: Swedish Authority for Privacy

Note: SEK 35 million is equivalent to USD $3,125,290.18 at today’s conversion rate.

Category: Business SectorExposureNon-U.S.

Post navigation

← Personal Data Protection Commissioner of Singapore announces two decisions
“I’m Not Pro-Russia and I’m Not a Terrorist!” —- InfraGard and Airbus Hacker “USDoD” Unveils His New Campaigns →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Oklahoma Expands its Security Breach Notification Law
  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.