[BreachExchange] Bupa fined after details of 500, 000 customers offered for sale on dark web

Audrey McNeil audrey at riskbasedsecurity.com
Fri Sep 28 15:46:36 EDT 2018


https://www.shropshirestar.com/news/uk-news/2018/09/28/bupa-fined-after-details-of-500000-customers-offered-for-sale-on-dark-web/

Bupa has been fined £175,000 for failing to have effective security
measures in place to protect customers’ personal information.

The penalty was imposed on Bupa Insurance Services Limited by the
Information Commissioner’s Office (ICO).

The watchdog said that, between January and March 2017, a Bupa employee was
able to extract the personal information of 547,000 Bupa Global customers
and offer it for sale on the dark web.

The employee, who was later dismissed, accessed the information via Bupa’s
customer relationship management system, known as Swan, which holds records
relating to 1.5 million people.

The employee sent bulk data reports to his personal email account and the
compromised information, which included names, dates of birth, email
addresses and nationality, was later offered for sale on the dark web, the
ICO said.

ICO director of investigations Steve Eckersley said: “Bupa failed to
recognise that people’s personal data was at risk and failed to take
reasonable steps to secure it.

“Our investigation found material inadequacies in the way Bupa safeguarded
personal data. The inadequacies were systemic and appear to have gone
unchecked for a long time. On top of that, the ICO’s investigation found no
satisfactory explanation for them.”

Bupa was alerted to the breach in June 2017 by an external partner who
spotted customer data for sale.

Bupa and the ICO received 198 complaints about the incident.

The ICO said its investigation found that, at the time, Bupa did not
routinely monitor Swan’s activity log. Bupa was unaware of a defect in the
system and was unable to detect unusual activity, such as bulk extractions
of data.

Failing to keep personal data secure is a breach of the Data Protection Act
1998.

A spokeswoman for Bupa Global said: “We accept this decision by the ICO and
have co-operated fully with its investigation.

“We take our responsibility for protecting customer information very
seriously.

“We have since introduced additional security measures to help prevent the
recurrence of such an incident, reinforced our internal controls and
increased our customer checks.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180928/55a61817/attachment.html>


More information about the BreachExchange mailing list