Swedish insurer Trygg-Hansa sanctioned over data failures

Customer data was possible to access online openly for over two years.

The Swedish Authority for Privacy Protection, Integritetsskyddsmyndigheten (IMY), has sanctioned Swedish insurer Trygg-Hansa Skr 35m ($3.2m) over having the data of 650,000 customers online for more than two years.

After a tip, IMY found that, without having to log in, anyone could access customers’ data to one of their branches, Moderna Försäkringar, by just switching some of the numbers in the websites’ URL.

“The documents that have been accessible to unauthorized persons have in some cases contained sensitive personal data, including information about health that also had a high level of detail, so that it was possible to understand, for example, how a health problem arose or details about a health condition,” said Evelin Palmér, lawyer at IMY.

The accessable information included customer’s:

  • name;
  • social security number;
  • contact details (address, e-mail address, phone number);
  • insurance number;
  • claim number,
  • financial information;
  • health information;
  • insurance holdings;
  • ownership information (such as animal ownership, vehicle details, property details);
  • property damage (such as details about workshop, notice of compensation);
  • sequence of events (for example time, place, actions and other information that the data subject provided in free text fields); and
  • other free text fields.

“Overall, the large amount of personal data has made it possible to create a clear picture of a person’s private circumstances,” Palmér added.

Basic safety failings

IMY’s investigation concluded that the safety failings were of “such basic character” that the company would have been able to acknowledge and fix them during this two-year period. IMY also found that the company had not taken appropriate technical measures to ensure a security level that is suitable in relation to the risk of this kind of information.

According to Moderna Försäkringar’s own logs, 202 customers could probably have been accessed by unauthorized persons. Yet, after examining the logs, IMY believes that only the tipster and IMY had accessed the documents.

“Overall, the large amount of personal data has made it possible to create a clear picture of a person’s private circumstances.”

Evelin Palmér, lawyer at IMY

At the time of the the findings in 2021, the safety failings were within the insurance company Moderna Försäkringar, which merged with Trygg-Hansa in April 2022. Trygg-Hansa said in a statement that none of its customer data was involved in the breach.