Bupa fined after details of 500,000 customers offered for sale on dark web

Bupa has been fined £175,000 for failing to have effective security measures in place to protect customers' personal information.
By The Newsroom
Published 28th Sep 2018, 16:36 GMT
Updated 29th Sep 2018, 07:49 GMT
Bupa has been fined 175,000 for failing to have effective security measures in place to protect customers' personal information. Photo credit: BUPA/PA WireBupa has been fined 175,000 for failing to have effective security measures in place to protect customers' personal information. Photo credit: BUPA/PA Wire
Bupa has been fined 175,000 for failing to have effective security measures in place to protect customers' personal information. Photo credit: BUPA/PA Wire

The penalty was imposed on Bupa Insurance Services Limited by the Information Commissioner's Office (ICO).

The watchdog said that, between January and March 2017, a Bupa employee was able to extract the personal information of 547,000 Bupa Global customers and offer it for sale on the dark web.

Hide Ad
Hide Ad

The employee, who was later dismissed, accessed the information via Bupa's customer relationship management system, known as Swan, which holds records relating to 1.5 million people.

The employee sent bulk data reports to his personal email account and the compromised information, which included names, dates of birth, email addresses and nationality, was later offered for sale on the dark web, the ICO said.

ICO director of investigations Steve Eckersley said: "Bupa failed to recognise that people's personal data was at risk and failed to take reasonable steps to secure it.

"Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO's investigation found no satisfactory explanation for them."

Hide Ad
Hide Ad

Bupa was alerted to the breach in June 2017 by an external partner who spotted customer data for sale.

Bupa and the ICO received 198 complaints about the incident.

The ICO said its investigation found that, at the time, Bupa did not routinely monitor Swan's activity log. Bupa was unaware of a defect in the system and was unable to detect unusual activity, such as bulk extractions of data.

Failing to keep personal data secure is a breach of the Data Protection Act 1998.

Hide Ad
Hide Ad

A spokeswoman for Bupa Global said: "We accept this decision by the ICO and have co-operated fully with its investigation.

"We take our responsibility for protecting customer information very seriously.

"We have since introduced additional security measures to help prevent the recurrence of such an incident, reinforced our internal controls and increased our customer checks."