Breach Roundup: Swedish Insurer Fined $3M for GDPR BreachAlso, Google Fitbit Faces Privacy Complaints From Schrems
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, the Swedish DPA fined an insurer $3 million for violating GDPR, a DDoS attack disrupted a German financial agency website, Google Fitbit faced privacy complaints from Schrems, Ragnar Locker published hacked hospital data, and Seville, Spain dealt with the aftermath of a ransomware attack.
Swedish DPA Fines Insurer
The Swedish data protection authority fined insurer Trygg-Hansa $3 million for a data breach that exposed the sensitive information of approximately 650,000 customers through the company's online portal. The data protection authority's investigation revealed the exposure had gone on for over two years, from October 2018 to February 2021.
The breach came to light after a customer of Moderna Försäkringar, now part of Trygg-Hansa, stumbled on a vulnerability that allowed access to the insurer's back-end. The flaw was accessible through unique web addresses provided on quotation pages sent to clients via SMS or email. The exposed data included personal details, health information, financial records, contact information, Social Security numbers and insurance specifics.
DDoS Attack Disrupts BaFin Website
German banking regulator BaFin's website has been only partially accessible since Friday following a distributed denial-of-service attack. The Federal Financial Supervisory Authority implemented security and defensive measures that resulted in restricted access to its website. All the other systems operated by BaFin continued to function smoothly without any disruptions.
BaFin supervises about 2,700 banks, 800 financial services institutions and over 700 insurance providers. The public website is a hub for the distribution of consumer information, regulations and alerts and a repository for documents pertaining to agency investigations. It contains a database of registered companies, public tenders and job listings, as well as a platform for whistleblowers to confidentially report violations.
Google Fitbit Faces GDPR Complaints
Max Schrems' None of Your Business advocacy group filed three privacy complaints against Fitbit with data protection authorities in Austria, the Netherlands and Italy. Nyob accused Google-owned Fitbit of violating Europe's General Data Protection Regulation by compelling users to consent to data transfers outside the European Union without the option to withdraw consent. Nyob argued that Fitbit also fails to meet legal requirements by not explaining its data use. Currently, Fitbit's policy requires deleting accounts to withdraw consent.
Hacked Hospital Data Published
The ransomware hacker group known as Ragnar Locker has published what is says it 402 gigabytes of stolen patient data from Israel's Mayanei Hayeshua Medical Center. The hospital's administrative computer systems were compromised in an Aug. 8 ransomware attack, leading it to stop accepting new outpatients and routing new emergency patients to nearby hospitals.
Ragnar Locker said it had seized sensitive data containing internal emails, finances, medical cards and other highly sensitive data. The hackers said they refrained from encrypting any files to avoid unintended harm or disruption to the hospital's medical operations.
Israeli newswire JNS reported that the country's Privacy Protection Authority had confirmed the breach but had not corroborated the claims made by the group about the details of what data was compromised.
City in Spain Hit by LockBit
The Spanish city of Seville suffered a cyberattack on Tuesday that El País attributed to the LockBit ransomware-as-a-service group. The city has refused to engage in any ransom payments, local media reported. The attack affected several city services and paralyzed all government systems.
Mayor José Luis Sanz said on Thursday that the city is making efforts to swiftly reinstate services. Preliminary results of the investigation suggest that hackers did not steal data but did succeed in encrypting some files housed on an older server. The holdup in restoring systems, he said, is related to ensuring that hackers can't exploit the same flaw again.
Other Coverage From Last Week