Bupa fined £175,000
Bupa fined £175,000 after employee stole 500,000 customer records and tried to sell them online
Healthcare giant Bupa has been fined £175,000 by UK regulators for "systematic data protection failures" after an employee stole thousands of customers' data and offered it for sale on the dark web.
The data breach, which happened between January and March 2017, affected 547,000 Bupa Global customers, who were not informed until two months after the incident.
The Information Commissioner's Office (ICO) said that it had discovered technical and organisational failures at Bupa that left 1.5 million records at risk for a long time.
The ICO's investigation revealed that the healthcare insurer did not routinely monitor the information on SWAN, and was "unable to detect unusual activity, such as bulk extractions of data".
The employee accessed the customer information through Bupa's customer relationship management system, known as SWAN, copied the information, deleted it from the company's database and then tried to sell it on the dark web.
Bupa and the ICO received 198 complaints about the incident, which was first reported as affecting 108,000 customers. The stolen data included names, dates of birth, nationalities and some contact details. At the time, the company said no medical or financial data was lost.
Due to the timings of the breach, Bupa has not been subjected to the new data protection fines under GDPR, which could have forced the company to pay up to £17m or 4pc of its global turnover.
“Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it," an ICO spokesman said.
“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”
Bupa is the latest in a string of companies fined by the ICO, the latest of which was Equifax, which faced a £500,000 fine for the breach of 15m UK customers' data.
A spokesman for Bupa Global said: “We accept this decision by the ICO and have cooperated fully with its investigation. We take our responsibility for protecting customer information very seriously. We have since introduced additional security measures to help prevent the recurrence of such an incident, reinforced our internal controls and increased our customer checks.”
Source: The Telegraph