UK Insurer Bupa suffers data breach by rogue employee
A rogue employee attempting to make a profit on the Dark Web in 2017 breached the data systems of Bupa, a U.K.-based international health insurer. The employee, who goes under the codename “MoZeal” and who offered the database for sale on Alpha Bay, one of many sites on the Dark Web, has exposed data for 108,000 policies and claims to have information for as many as one million customers.
The data is understood to include birth dates, nationalities, home phone numbers, work details, and customer identification numbers. Bupa’s own investigation established that information about 108,000 policies covering 547,000 customers had been copied and removed.
Sheldon Kenton, managing director of Bupa Global, in a video statement issued an apology and explained that none of the information taken contained personal financial or medical information, and that the records were related mostly to clients who work overseas or travel on a regular basis. At issue is the potential for criminals with access to stolen data to trick customers into revealing more sensitive information such as credit card numbers.
This case highlights both the importance of quick and honest communication by the victim of a data breach towards its customers; and the fact that most severe data breaches are caused by employees, not hackers. Common mitigation measures include due diligence on employees and outsiders who will be accessing systems – however, due diligence needs to be repeated regularly in order to detect changes in personal circumstances and attitudes. A company’s best defense probably resides in granting access to data on a “need-to-know” basis only, as opposed to having one big network where everyone can access everything; data access logs should be collected and reviewed for anomalies; and staff regularly should be trained on access rules and policies and on avoiding phishing scams.