Bupa employee steals 547,000 customers' data

Financial and medical data not at risk, but insider shared info with "other parties"

More than 500,000 Bupa customers' data is in the wild after an employee "copied and removed" their information from the health insurer's systems.

No medical or financial information is at risk, but 547,000 people's names, email addresses, phone numbers, dates of birth, nationalities, and some admin details of beneficiaries is out there from the 108,000 policies stolen, Bupa confirmed.

Advertisement - Article continues below

The now ex-staffer is believed to have made the information they have available to "other parties" too, according to a letter sent to the affected policy holders from Sheldon Kenton, managing director of Bupa Global, the firm's international health insurance division.

"We know that this will be concerning and I would like to personally apologise," Kenton said in the letter, shared with computer security analyst Graham Cluley on Twitter.

Kenton saidin a statement sent to IT Pro: "This was not a cyber attack or external data breach, but a deliberate act by an employee. We have introduced additional security measures and increased our customer identity checks. A thorough investigation is underway and we have informed the FCA and Bupa's other UK regulators. The employee responsible has been dismissed and we are taking appropriate legal action."

A spokeswoman added that the firm discovered the breach in June and has been in touch with UK data watchdog the Information Commissioner's Office (ICO) and the police.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

IT Pro has asked which 'other parties' may have the data and when the incident took place.

An ICO spokesperson said: "Organisations have a duty to protect people's privacy and personal data. We have been made aware of an issue involving Bupa Global and are making enquiries."

Cluley told IT Pro that the data theft could allow criminals to phone customers posing as Bupa Global staff, sharing enough information about customers to persuade their victims to part with more valuable data.

"It's easy to imagine how someone vulnerable could get a phone call out of the blue, believe it's Bupa, and give the criminals valuable information," he said.

While plenty of companies are worried about external cyber attacks, particularly after recent high-profile campaigns like WannaCry and Petya, Cluley said it's insiders who can be the greatest threat.

"You let people into your organisation, give them accounts and passwords and access to data, all the things hackers would love to have and they have to work very hard to get hold of, but if you have a rotten apple there who's a bit bent, it's very hard to stop them taking information with them if they are determined," Cluley said.

He pointed to tools that can mitigate the insider threat, like access control and data leak prevention software that can monitor if someone takes sensitive information, but added: "There's so much focus on external hackers but it's your staff who should keep you up at night."

Advertisement

Recommended

Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020
Visit/security/internet-security/355228/mozilla-fixes-two-firefox-zero-days-being-actively-exploited
internet security

Mozilla fixes two Firefox zero-days being actively exploited

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020