Ransom Demand for Human Error and Two-year Data Leakage
13.09.2023Back to news
Today we will examine two recent instances of data disclosure, both of which, as is often the case, have resulted in serious financial and reputational losses for the companies involved.
Trygg-Hansa, a Swedish company that provides consulting services and insurance to individuals, private and public organisations, kept the data of 650,000 customers in the public domain for more than two years.
The incident came to light when The Swedish Authority for Privacy Protection (IMY) received a tip-off from one of Trygg-Hansa's customers that the insurer's backend could be accessed via links on quotation pages sent to clients. The links in question contained a URL to the pricing page of the organization’s website and were sent to all current and potential customers.
Following an investigation, IMY claims that the data was accessible to unauthorized individuals from late 2018 to early 2021. According to the investigation, the following personal information of Trygg-Hansa customers was compromised:
- Сondition details
- Financial information
- Contact details
- Social security numbers (SSN)
- Insurance details.
IMY alleges that Trygg-Hansa failed to correct the error for some time after receiving notification, and that the data was still openly available. In September 2023, IMY imposed a fine of $3 million on Trygg-Hansa.
The second incident occurred at Cyberport Hong Kong, a digital technology flagship and entrepreneurship incubator. 400GB of data has been leaked online, including personal details of employees of Cyberport and some start-up companies: HKID card numbers, bank statements, lease agreements, receipts, audit reports, resumes.
On 12 September 2023, a Cyberport spokesperson said that the leaked information had been mistakenly stored on a public drive on the company's server, which was subsequently hacked. Sensitive data, he said, should not have been stored on the disc in the first place.
The criminals demanded a ransom of $300,000 and additionally put the data up for sale online. The data was published on the Darknet after the ransom was not paid.
A spokesman for Cyberport also said that the company had not considered paying the ransom and that the incident had caused significant damage to the company's image.
Read about another recent data leak that was caused by a human error on the part of a ShopBack employee.