The Information Commissioner’s Office (ICO) has fined Bupa Insurance Services Limited (Bupa) £175,000 for its failure to protect the personal information of its customers. Had the timing of the breach been different, Bupa would have faced fines under the General Data Protection Regulations (GDPR), but the security incident occurred prior to those regulations going into effect.
According to the ICO, a Bupa employee stole the personal data of 547,000 employees between January 6 and March 11, 2017. By email himself bulk data reports, the employee was able to pilfer personal information that reportedly included names, dates of birth, nationalities and administrative information for the policy and its beneficiaries, including membership number, email address, phone and fax number, but not any medical information.
In the Monetary Penalty Notice, ICO wrote, “The monetary penalty concerns Bupa Global's customer relationship management system ('SWAN') which holds customer records relating to 1.5 million data subjects. SWAN is used to manage claims made by Bupa Global customers under their international health insurance policies.”
Because Bupa failed to have effective security measures in place and did not routinely monitor SWAN activity logs, the employee successfully emailed the reports to his personal email and then put the information up for sale on the dark web.
After an external partner alerted Bupa to the breach on June 16, 2017, the employee was terminated. Until that point, “Bupa was unaware of a defect in the system and was unable to detect unusual activity, such as bulk extractions of data,” ICO wrote.
For breaching the mandate that companies keep personal data secure, Bupa received the maximum penalties under the Data Protection Act of 1998, which preceded the GDPR. ICO director of investigations Steve Eckersley said in the September 28 post, “Bupa failed to recognize that people’s personal data was at risk and failed to take reasonable steps to secure it."
“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”