Today we will examine two recent instances of data disclosure, both of which, as is often the case, have resulted in serious financial and reputational losses for the companies involved.
Trygg-Hansa, a Swedish company that provides consulting services and insurance to individuals, private and public organisations, kept the data of 650,000 customers in the public domain for more than two years.
The incident came to light when The Swedish Authority for Privacy Protection (IMY) received a tip-off from one of Trygg-Hansa's customers that the insurer's backend could be accessed via links on quotation pages sent to clients. The links in question contained a URL to the pricing page of the organization’s website and were sent to all current and potential customers.
Following an investigation, IMY claims that the data was accessible to unauthorized individuals from late 2018 to early 2021. According to the investigation, the following personal information of Trygg-Hansa customers was compromised:
- Сondition details
- Financial information
- Contact details
- Social security numbers (SSN)
- Insurance details.
IMY alleges that Trygg-Hansa failed to correct the error for some time after receiving notification, and that the data was still openly available. In September 2023, IMY imposed a fine of $3 million on Trygg-Hansa.
The second incident occurred at Cyberport Hong Kong, a digital technology flagship and entrepreneurship incubator. 400GB of data has been leaked online, including personal details of employees of Cyberport and some start-up companies: HKID card numbers, bank statements, lease agreements, receipts, audit reports, resumes.
On 12 September 2023, a Cyberport spokesperson said that the leaked information had been mistakenly stored on a public drive on the company's server, which was subsequently hacked. Sensitive data, he said, should not have been stored on the disc in the first place.
The criminals demanded a ransom of $300,000 and additionally put the data up for sale online. The data was published on the Darknet after the ransom was not paid.
A spokesman for Cyberport also said that the company had not considered paying the ransom and that the incident had caused significant damage to the company's image.
Read about another recent data leak that was caused by a human error on the part of a ShopBack employee.
Subscribe to get helpful articles and white papers.
We discuss industry trends and give advice on how to deal with data leaks and cyber incidents.
SearchInform uses four types of cookies as described below. You can decide which categories of cookies you wish to accept to improve your experience on our website. To learn more about the cookies we use on our site, please read our Cookie Policy.
Necessary Cookies
Always active. These cookies are essential to our website working effectively.
Cookies does not collect personal information. You can disable the cookie files
record
on the Internet Settings tab in your browser.
Functional Cookies
These cookies allow SearchInform to provide enhanced functionality and personalization, such as remembering the language you choose to interact with the website.
Performance Cookies
These cookies enable SearchInform to understand what information is the most valuable to you, so we can improve our services and website.
Third-party Cookies
These cookies are created by other resources to allow our website to embed content from other websites, for example, images, ads, and text.
Please enable Functional Cookies
You have disabled the Functional Cookies.
To complete the form and get in touch with us, you need to enable Functional Cookies.
Otherwise the form cannot be sent to us.
Subscribe to our newsletter and receive a bright and useful tutorial Explaining Information Security in 4 steps!
Subscribe to our newsletter and receive case studies in comics!