Bupa fined £175,000 due to worker attempting to sell customer data on the dark web

The rogue employee attempted to sell customers' names, date of birth and email addresses

Bupa logo

Bupa has been fined 175,000 by the ICO after one of its employees tried to sell the records of 547,000 Bupa Global customers on the dark web early last year.

The employee in question managed to lift the data from Bupa's CRM system, which holds data relating to 1.5 million of the company's customers in total. The information stolen included dates of birth, email addresses and nationality.

The ICO said Bupa failed to protect its customers' data by not monitoring its CRM system, SWAN, was used, allowing the employee to steal the information and then send the records to his personal email account. This data was then sent by the employee to the dark web between January and March last year.

Bupa was only made aware of the issue on 16 June 2017 when a partner told the company it had found the customer information for sale. The company also received 198 complaints about the incident and at this point, the employee in question was dismissed and Sussex Police informed.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

After investigating into the breach, Bupa realised there was a flaw in its activity monitoring system that meant it wasn't alerted to unusual activity in the system, such as bulk data downloads. The ICO said this was a breach of the Data Protection Act 1998.

"Bupa failed to recognise that people's personal data was at risk and failed to take reasonable steps to secure it," ICO director of investigations Steve Eckersley said.

"Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO's investigation found no satisfactory explanation for them."

The ICO said it has fined Bupa under the Data Protection Act 1998 and not the more recent General Data Protection Regulation and 2018 Act because the incident occurred before the new legislation came into force.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/data-insights/data-management/354423/eu-us-data-transfer-tools-used-by-facebook-ruled-legal
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019
Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020