Bupa employee steals 547,000 customers' data

Financial and medical data not at risk, but insider shared info with "other parties"

More than 500,000 Bupa customers' data is in the wild after an employee "copied and removed" their information from the health insurer's systems.

No medical or financial information is at risk, but 547,000 people's names, email addresses, phone numbers, dates of birth, nationalities, and some admin details of beneficiaries is out there from the 108,000 policies stolen, Bupa confirmed.

Advertisement - Article continues below

The now ex-staffer is believed to have made the information they have available to "other parties" too, according to a letter sent to the affected policy holders from Sheldon Kenton, managing director of Bupa Global, the firm's international health insurance division.

"We know that this will be concerning and I would like to personally apologise," Kenton said in the letter, shared with computer security analyst Graham Cluley on Twitter.

Kenton saidin a statement sent to IT Pro: "This was not a cyber attack or external data breach, but a deliberate act by an employee. We have introduced additional security measures and increased our customer identity checks. A thorough investigation is underway and we have informed the FCA and Bupa's other UK regulators. The employee responsible has been dismissed and we are taking appropriate legal action."

A spokeswoman added that the firm discovered the breach in June and has been in touch with UK data watchdog the Information Commissioner's Office (ICO) and the police.

Advertisement - Article continues below
Advertisement - Article continues below

IT Pro has asked which 'other parties' may have the data and when the incident took place.

An ICO spokesperson said: "Organisations have a duty to protect people's privacy and personal data. We have been made aware of an issue involving Bupa Global and are making enquiries."

Cluley told IT Pro that the data theft could allow criminals to phone customers posing as Bupa Global staff, sharing enough information about customers to persuade their victims to part with more valuable data.

"It's easy to imagine how someone vulnerable could get a phone call out of the blue, believe it's Bupa, and give the criminals valuable information," he said.

While plenty of companies are worried about external cyber attacks, particularly after recent high-profile campaigns like WannaCry and Petya, Cluley said it's insiders who can be the greatest threat.

"You let people into your organisation, give them accounts and passwords and access to data, all the things hackers would love to have and they have to work very hard to get hold of, but if you have a rotten apple there who's a bit bent, it's very hard to stop them taking information with them if they are determined," Cluley said.

He pointed to tools that can mitigate the insider threat, like access control and data leak prevention software that can monitor if someone takes sensitive information, but added: "There's so much focus on external hackers but it's your staff who should keep you up at night."

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020