UK regulators have fined Bupa £175,000 over “systematic data protection failures” after one of its employees stole thousands of customers’ personal data and attempted to sell it on the dark web.
Due to the timing of the breach, the company has dodged the new data protection fines under GDPR, which could have seen the company fork over up to £17 million or 4% of its global turnover.
The 547,000 Bupa Global customers affected by the breach were not informed until two months after the incident, which took place between January and March 2017. The perpetrator had accessed the customer data through SWAN and copied the information before deleting it from the company’s database.
Initially, the company had reported that the breach had only affected 108,000 customers, but this figure was eventually revised. The data stolen included names, dates of birth, nationalities and some contact details.
Bupa Failed to Take Reasonable Precautions
The Information Commissioner’s Office (ICO) said there had been technical and organisational failures at Bupa, which had left 1.5m records at risk for a significant period of time.
According to the ICO, Bupa had failed to routinely monitor the information on SWAN – Bupa’s customer relationship management system- and that it was therefore “unable to detect unusual activity, such as bulk extractions of data”.
The health insurer and the ICO received 198 complaints about the breach and the guilty employee was fired – Sussex Police have since issued a warrant for his arrest. An ICO spokesperson commented: “Bupa failed to recognise that people’s personal data was at risk and failed to take personal reasonable steps to secure it.
“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”
A spokesperson for Bupa Global said: “We accept this decision by the ICO and have cooperated fully with its investigation. We take our responsibility for protecting customer information very seriously.
“We have since introduced additional security measures to help prevent the recurrence of such an incident, reinforced our internal controls and increased our customer checks.”
Bupa is the latest in a number of companies fined by the ICO, Equifax faced a £500,000 fine for the breach of its 15m UK customers’ data, while TalkTalk was fined £400,000 after 157,000 individuals’ bank account details and sort codes were stolen due to lax security.