Programming error leads to data breach, costing Spanish insurance company €600K

Spanish insurance company Ibermutua has to pay a fine of €600,000 for a data breach that was caused by coding errors.

In August and September 2024, several data breach complaints were filed against Ibermutua, an insurance company within the Spanish social security system that handles disability, sick leave, reintegration, and work-related care.

The data breach occurred due to a programming error in the company’s digital platform. Because of the coding error, confidential employee data was attached incorrectly to emails that were sent to unauthorized recipients, including partner companies.

The exposed data included personal and health-related information of 3,395 individuals, and was sent to 354 unauthorized people. The affected data included full names, ID numbers, social security numbers, health-related absence details, accident records, and information regarding their salary.

Several affected individuals filed a complaint with the Agencia Española de Protección de Dato (AEPD).

The Spanish privacy regulator concluded that Ibermutua violated article 5.1 (f) of the General Data Protection Regulation (GDPR), which requires personal data to be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss or damage.

According to the AEPD, the data breach resulted from inadequate security measures in the company’s digital platform. The Spanish data protection authority (DPA) initially imposed a fine of €1 million for the data protection violation. However, because Ibermutua acknowledged responsibility and opted for voluntary payment, the insurance company got a 40% reduction and only has to pay €600,000.

Ibermutua has to adopt both technical and organizational measures to prevent similar incidents from happening in the future, including implementing enhanced email security controls, stronger verification mechanisms, and stronger testing protocols.

The insurance company has three months to implement these corrective measures and report back to the AEPD