Bupa Insurance Services Limited who manages domestic and global insurance policies has been fined £175,000 under the Data Protection Act 1998 for failing to have appropriate organisational and technical measures in place to protect customers’ data from unauthorised access and misuse.

As the data controller, Bupa, failed to protect the personal records of 1.5 million individuals processed on its customer relationship management system (SWAN) used to manage customer claims under their international health insurance policies.

On 16 June 2017 personal data of Bupa’s Global customers was found for sale on the dark web. It was discovered that a Bupa employee had made unauthorised use of personal data accessed via SWAN.

The commissioner deems that Bupa failed to have adequate procedures in place to stop unauthorised and unlawful processing of personal information accessible through its system.

How it happened

Between the 6 January and 11 March 2017, a Bupa employee accessed the system and extracted the personal information of 547,000 individuals and sent bulk data reports to his personal email account. The employee proceeded to offer the data for sale on the dark web. Information included names, date of birth, email address and nationality.

Bupa was alerted by an external partner who noticed the customer data for sale. Bupa confirmed at the time that the incident was not a result of a cyber attack or external breach, but a deliberate act by an employee.

Bupa failed to monitor the activity on SWAN properly and was unaware of the unusual activity going on including the bulk extraction of data thus placing 1.5 million records at risk.

ICO Director of Investigations, Steve Eckersley, said:

“Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it”.

The loss of this data and the consequence of the sale thereof could be used by criminals to launch additional attacks on Bupa customers. By merging leaked data from multiple sources, criminals could potentially target victims with convincing phishing and spear phishing attacks.

What we can learn from this

Security measures should have been implemented to prevent data from being leaked or stolen. If data was appropriately secured and managed and access to data controlled, tracked and monitored any out of the ordinary behaviour would have been recognised.

This incident highlights the importance of controlling access to data and demonstrates the impact of data mismanagement. It emphasises the necessity to protect against the insider threat and not only attacks that result from outside of the organisation. A malicious act by a disgruntled employee or a mistake by a member of staff can result in the loss of data which also constitutes a data breach and will have the same ramifications as a breach resulting from an outsider attack.

Organisations must protect customer data and tighten down access in a secure and compliant way. Encrypt data, control and manage data access as well as log and monitor data access activity, while maintaining secure sharing of resources for efficient functioning. Solutions to facilitate this should be implemented so that organisations can protect against data loss under any circumstances: insider or outsider threats, through error or malice.