[BreachExchange] After major Bupa breach: is your data safe from a rogue employee?

Thu Jul 20 20:21:33 EDT 2017

http://www.insurancebusinessmag.com/ca/news/breaking-news/after-
major-bupa-breach-is-your-data-safe-from-a-rogue-employee-73626.aspx

A global health insurer’s huge data breach by a rogue employee has
highlighted the need for companies to protect themselves – both before and
after a theft.

Last week, international health insurance giant Bupa confirmed an employee
had stolen data relating to 547,000 clients and was trying to sell it
online.

This stolen data was exclusively from customers of Bupa Global, “which
handles international health insurance, mainly for people who work overseas
or travel on a regular basis,” managing director of Bupa Global, Sheldon
Kenton, said last week.

Healthcare data is hugely popular among criminals, who sell the data on the
Dark Web. In fact, excluding health insurance companies, this year in the
United States alone there have been 176 data breaches “affecting 500 or
more individuals” in the healthcare sector, according to the Department of
Health and Human Services Office for Civil Rights.

This Bupa theft highlights a different risk for health insurers, one that
can be difficult to guard against. In the past, customer data has more
often been stolen by hackers – such as the enormous theft of Blue Cross
Blue Shield data stolen from Anthem in 2015. In this case, it was a rogue
employee who pilfered the data.

Data law expert Bradley Freedman, a partner at international law firm
Borden Ladner Gervais, said lessons could be learned for companies of all
types and sizes from this breach.

“This is an example of a business risk for all organizations, large or
small, regardless of the industry, and there are lots of commonsense,
low-cost, easy things that organizations can do to reduce the risk of this
kind of an incident,” he said.

Mitigation measures include due diligence on employees and outsiders who
will be accessing your organization’s systems – like contractors, suppliers
and temp workers – to minimize the risk of them improperly accessing or
stealing information.

However, technology – including restrictions on who can access what
information – could be a company’s best defense.

“A business should organize itself and structure itself so employees have
access to the data they need, but no more,” Freedman said. “You shouldn’t
have one big network where everyone can access everything. It should be all
be segregated and locked down, with technological measures that do that.”

Organizations’ systems should collect logs of who is accessing what
information – and those should be reviewed periodically for red flags.
Staff should also be trained on appropriate access, the consequences if
they break rules and policies, and how to avoid inadvertent misconduct – as
well as how to avoid being caught out by a phishing scam that could
compromise the organization’s systems.

Freedman suggested companies also use multi-factor authentication for
logins to prevent staff unwittingly handing over their username and
password to scammers. And if a breach occurs, a company should have systems
in place to minimize the risk, and prevent a full-scale disaster.
“It’s really a multidisciplinary thing – none of the stuff we’re talking
about is an IT issue, it’s all an organization-wide risk-management
problem,” Freedman said.

Nir Kossovsky, CEO of Steel City Re, which specializes in reputation
insurance, said Bupa – by front-footing an apology to customers – had done
what was “necessary” to momentarily assuage stakeholder concern.

“Reputation risk is the risk of leaving stakeholders disappointed and
emotionally charged. A cyber breach [including employee theft of computer
data] does not necessarily damage an institution’s reputation,” Kossovsky
said.

In the same way that customers will not necessarily leave a bank following
one bank robbery, the same would likely apply to an insurance company, he
said.

“But if a bank’s security systems are not up to the challenge, customers
will start doubting whether that is a safe place to keep their money,” he
added. “And doubt, of course, is what reputation risk looks like.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170720/0b03f8cd/attachment.html>