Bupa employee steals 547,000 customers' data

Financial and medical data not at risk, but insider shared info with "other parties"

More than 500,000 Bupa customers' data is in the wild after an employee "copied and removed" their information from the health insurer's systems.

No medical or financial information is at risk, but 547,000 people's names, email addresses, phone numbers, dates of birth, nationalities, and some admin details of beneficiaries is out there from the 108,000 policies stolen, Bupa confirmed.

The now ex-staffer is believed to have made the information they have available to "other parties" too, according to a letter sent to the affected policy holders from Sheldon Kenton, managing director of Bupa Global, the firm's international health insurance division.

"We know that this will be concerning and I would like to personally apologise," Kenton said in the letter, shared with computer security analyst Graham Cluley on Twitter.

Advertisement - Article continues below
Advertisement - Article continues below

Kenton saidin a statement sent to IT Pro: "This was not a cyber attack or external data breach, but a deliberate act by an employee. We have introduced additional security measures and increased our customer identity checks. A thorough investigation is underway and we have informed the FCA and Bupa's other UK regulators. The employee responsible has been dismissed and we are taking appropriate legal action."

A spokeswoman added that the firm discovered the breach in June and has been in touch with UK data watchdog the Information Commissioner's Office (ICO) and the police.

IT Pro has asked which 'other parties' may have the data and when the incident took place.

An ICO spokesperson said: "Organisations have a duty to protect people's privacy and personal data. We have been made aware of an issue involving Bupa Global and are making enquiries."

Cluley told IT Pro that the data theft could allow criminals to phone customers posing as Bupa Global staff, sharing enough information about customers to persuade their victims to part with more valuable data.

"It's easy to imagine how someone vulnerable could get a phone call out of the blue, believe it's Bupa, and give the criminals valuable information," he said.

Advertisement - Article continues below

While plenty of companies are worried about external cyber attacks, particularly after recent high-profile campaigns like WannaCry and Petya, Cluley said it's insiders who can be the greatest threat.

"You let people into your organisation, give them accounts and passwords and access to data, all the things hackers would love to have and they have to work very hard to get hold of, but if you have a rotten apple there who's a bit bent, it's very hard to stop them taking information with them if they are determined," Cluley said.

He pointed to tools that can mitigate the insider threat, like access control and data leak prevention software that can monitor if someone takes sensitive information, but added: "There's so much focus on external hackers but it's your staff who should keep you up at night."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
web browser

Microsoft developer declares it's time to ditch IE for Edge

23 Jan 2020