Bupa Insurance Services has been whacked with a £175,000 by the Information Commissioner’s Office for failing to have effective security measures in place to protect customers’ personal information after an employee stole hundreds of thousands of customer records and then sold them on the Internet.
An ICO investigation found that between January 6 and March 11 2017, a Bupa employee was able to extract the personal information of 547,000 Bupa Global customers and offer it for sale on the dark web.
The employee accessed the information through Bupa’s CRM system, known as SWAN, which holds customer records relating to 1.5 million people.
The employee then sent bulk data reports to his personal email account. The compromised information, which included names, dates of birth, email addresses and nationality, was later offered for sale on the dark web.
The ICO’s investigation found that, at the time, Bupa did not routinely monitor SWAN’s activity log. Bupa was unaware of a defect in the system and was unable to detect unusual activity, such as bulk extractions of data.
Bupa was alerted to the breach on June 16 2017 by an external partner who spotted customer data for sale.
Bupa and the ICO received 198 complaints about the incident. The rogue employee was dismissed and Sussex Police issued a warrant for his arrest.
ICO director of investigations Steve Eckersley said: “Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it.
“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”
Jailed data theft copper forced to pay back £300,000
Bent copper gets five years for car crash data theft
Swansea call centre boss is jailed for energy bill fraud
Loyalty scheme chief gets 16 months for £200k fraud
TPS swindler banged up for 5 years for £600k fraud