Bupa worker tried to sell customer data on dark web
Bupa has been fined £175,000 by the ICO after an employee attempted to sell the records of 547,000 Bupa Global customers via the dark web early last year.
The employee in question lifted the data from Bupa’s CRM system, which holds data on 1.5 million of Bupa’s customers. The information stolen included the date of birth, email addresses and nationality of each patient.
The ICO said Bupa failed to protect its customers’ data by not monitoring how its CRM system, SWAN, was used, thus allowing an employee to steal valuable information and send these records to a personal email address. This data was then sent by the employee to the dark web between January and March last year with a mind to sell it on.
Bupa was only made aware of the issue on 16 June 2017 when a partner told the company it had found its customer information for sale. Bupa also received 198 complaints about the incident and, at this point, the employee in question was dismissed and Sussex Police informed.
Upon investigation into just how the breach occurred, Bupa discovered that there was a flaw in its activity monitoring system. This flaw meant that Bupa wasn’t alerted to unusual activity within its systems, such as bulk data downloads. Despite discovering this flaw, the ICO said this still constituted a breach of the Data Protection Act 1998.
“Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it, “ICO director of investigations Steve Eckersley said.
“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”
The ICO said it has fined Bupa under the Data Protection Act 1998 and not the more recent General Data Protection Regulation and 2018 Act because the incident occurred before the new legislation came into force.