Bupa faces fine for data breach

A skull and crossbones against lines of code.
Travel insurance

The Information Commissioner’s Office (ICO) in the UK has fined healthcare giant Bupa after an investigation into a Bupa employee who uploaded customers’ data to the dark web to sell. Bupa has been fined £175,000 for the 2017 incident, in which an employee took data from 547,000 global customers and tried to sell it; ICO said that Bupa did not have ‘effective security measures in place to protect customers’ personal information’.

“Bupa failed to recognise that people’s personal data was at risk,” said ICO, “and failed to take reasonable steps to secure it. Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, [our] investigation found no satisfactory explanation for them.”

ICO’s investigation found that that the employee in question, utilising Bupa’s customer relationship management system SWAN, emailed himself ‘bulk data reports’ containing names, dates of birth, nationalities and email addresses. The records were spotted on the dark web by an ‘external partner’; the site was shut down by authorities in the US later in 2017.

Bupa said that it accepted the decision of ICO and had offered its full co-operation in the investigation: “We take our responsibility for protecting customer information very seriously. We have since introduced additionally security measures to help prevent the recurrence of such an incident, reinforced our internal controls and increased our customer checks.”

How can companies protect themselves – and their customers?
As the incident took place last year, it was dealt with under the provisions and maximum penalties of the Data Protection Act 1998, rather than the General Data Protection Regulation and 2018 Act, which came into effect this year. ICO has offered some tips to companies so that they can protect their IT systems under the new Act.

ICO advises businesses to: install firewalls; ensure that operating systems are set up to update automatically; protect computers with the latest security patches; only allow staff access to the information they specifically need for their job, and ensure they do not share passwords; encrypt sensitive personal information held electronically; create regular backups of all data and store them in a separate location; securely remove all personal information before an old computer is disposed of; and install anti-spyware tools. Companies should also make it possible to encrypt or password protect particularly sensitive emails.

Companies are also advised to make sure that staff are fully trained up in this area so that they know what is expected of them and will be wary if an outside party attempts to trick them into divulging personal information (if they are fully trained, they can also be fully prosecuted if they knowingly give out personal information without express permission). Strong passwords should be mandatory for all employees, and spam emails should never be opened.

This incident with Bupa should serve as a wake-up call to all companies working in the insurance and financial services space that the new cybersecurity landscape is complex and potentially costly; threats will not always necessarily come from bad actors operating outside of the company, so all businesses need to ensure that they know exactly what they are dealing with and take all potential precautions. Otherwise, not only will the bottom line – and the company’s reputation – suffer, but customers will too.