Bupa employee steals 547,000 customers' data

Financial and medical data not at risk, but insider shared info with "other parties"

More than 500,000 Bupa customers' data is in the wild after an employee "copied and removed" their information from the health insurer's systems.

No medical or financial information is at risk, but 547,000 people's names, email addresses, phone numbers, dates of birth, nationalities, and some admin details of beneficiaries is out there from the 108,000 policies stolen, Bupa confirmed.

The now ex-staffer is believed to have made the information they have available to "other parties" too, according to a letter sent to the affected policy holders from Sheldon Kenton, managing director of Bupa Global, the firm's international health insurance division.

"We know that this will be concerning and I would like to personally apologise," Kenton said in the letter, shared with computer security analyst Graham Cluley on Twitter.

Kenton saidin a statement sent to IT Pro: "This was not a cyber attack or external data breach, but a deliberate act by an employee. We have introduced additional security measures and increased our customer identity checks. A thorough investigation is underway and we have informed the FCA and Bupa's other UK regulators. The employee responsible has been dismissed and we are taking appropriate legal action."

A spokeswoman added that the firm discovered the breach in June and has been in touch with UK data watchdog the Information Commissioner's Office (ICO) and the police.

IT Pro has asked which 'other parties' may have the data and when the incident took place.

An ICO spokesperson said: "Organisations have a duty to protect people's privacy and personal data. We have been made aware of an issue involving Bupa Global and are making enquiries."

Cluley told IT Pro that the data theft could allow criminals to phone customers posing as Bupa Global staff, sharing enough information about customers to persuade their victims to part with more valuable data.

"It's easy to imagine how someone vulnerable could get a phone call out of the blue, believe it's Bupa, and give the criminals valuable information," he said.

While plenty of companies are worried about external cyber attacks, particularly after recent high-profile campaigns like WannaCry and Petya, Cluley said it's insiders who can be the greatest threat.

"You let people into your organisation, give them accounts and passwords and access to data, all the things hackers would love to have and they have to work very hard to get hold of, but if you have a rotten apple there who's a bit bent, it's very hard to stop them taking information with them if they are determined," Cluley said.

He pointed to tools that can mitigate the insider threat, like access control and data leak prevention software that can monitor if someone takes sensitive information, but added: "There's so much focus on external hackers but it's your staff who should keep you up at night."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

SonicWall hacked via zero-day flaw in remote access tools
Security

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
Trump pardons convicted ex-Google engineer Levandowski
intellectual property

Trump pardons convicted ex-Google engineer Levandowski

20 Jan 2021