Bupa insider data breach affects 500,000

The Bupa data breach is the latest instance of a rogue employee leaking personal data for anyone to access.

This article was updated on Friday 14th July at 09:16

Since this original article was posted the number of those affected by a Bupa employee copying and removing information relating to international health insurance plan customers has risen to 547,000, the company has said.

Bupa has suffered a data breach after an employee of their international health insurance division had inappropriately copied and removed some customer information from the company.

The data that was leaked included names, dates of birth, nationalities, some contact and administrative information but not financial or medical data.

Bupa made the relevant customers aware of the leaked data, and in statement added that protecting customer information was “an absolute priority”.

>See also: 7 key lessons from TalkTalk’s data breach

“A thorough investigation is under way and we have informed the FCA [Financial Conduct Authority] and Bupa’s other UK regulators,” said Sheldon Kenton, managing director of Bupa Global.

“The employee responsible has been dismissed and we are taking appropriate legal action.”

Paul Edon at security software firm Tripwire said “Unfortunately, humans are the weakest link in security”.

“Despite many of us being trustworthy, there are some insiders that break and damage that trust.”

The Information Commissioner’s Office said it was aware of the issue.”

It appears the healthcare sector is particularly vulnerable to damaging data breaches, especially from the insider threat. Over two thirds (68%) of breaches in healthcare were caused by people with inside access, such as employees. In fact, healthcare is the only industry where insiders are the predominant threat actors in breaches (overall, 25% of all breaches in healthcare are caused by insiders). Insiders in healthcare are mostly motivated by financial gain (44%), followed closely by a desire to just have some fun (38%).

>See also: The urgent need to ‘quantify the hidden costs of a data breach’

The 2017 DBIR draws its findings from an analysis of more than 79,000 security incidents and 1,945 confirmed data breaches, across 79 countries. This data was investigated by Verizon and 67 other contributors during 2016, including the US Secret Service, UK legal services firm Mishcon de Reya, UK insurer Chubb and the Irish Reporting and Information Security Service (IRISS CERT).

So, what can hackers use this data for?

Mark James, security specialist at ESET explains how this data can be used by hackers and what users should look out for in the meantime.

“Data breaches are fast becoming the norm these days. We hear more and more about snippets of information being hoarded and collated within the internet to build profiles for unsuspecting phishing or scam victims. Attacks from outside usually can’t be anticipated or guessed but attacks from within are another matter. Employees who handle valuable information are of course trusted to keep it safe. There are of course many security measures we can have in place to protect that data from being leaked or stolen and we would expect measures like “Data Loss Protection” DLP to be in place to keep our most valued data safe.”

>See also: Wonga data breach affects 245,000 customers

“In this instance, there seems to be a clear indication of what was and was not stolen with an emphasis on what’s “not” but any of the said data could be used in an attempt to scam or phish other details from you. When it comes to medical data we generally like to keep it to ourselves so any email or direct contact would more than likely be kept private. In an email to customers, Sheldon Kenton stated “The data taken includes: names, dates of birth, nationalities, and some contact and administrative details including Bupa insurance membership numbers.”

“When we receive spam emails we have to make a decision on its validity when it states “Dear Sir” or “Dear valued customer” then we often won’t give it the time of day but if that data is specific to the company then our attention is drawn and we are more than likely to be a victim as a result. If you are contacted by phone or email then double check with the sending organisation before further communication is made. They are fully aware of the problems these breaches cause and seem to be doing all the right things like notifying the affected parties and providing as much info as possible via a web page and video.

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...