The Information Commissioner has fined Bupa £175,000 for ‘systematic data protection failures’.
The Information Commissioner’s Office (ICO) penalised the company for "failing to have effective security measures in place to protect customers’ personal information". It relates to a case involving a Bupa employee who was able to extract the personal information of 547,000 Bupa Global customers from the company’s Swan customer relationship management system (CRM) between 6 January and 11 March 2017.
The ICO investigation found that Bupa failed to monitor the Swan activity log. The company was "unaware of a defect in the system and was unable to detect unusual activity".
The breach was a violation of the Data Protection Act 1998 and was handled under the provisions of that law which provided for a maximum penalty of £500,000. Had it been handled under the General Data Protection Regulation and the Data Protection Act 2018, the ICO would have been able to fine Bupa up to four percent of global turnover (some £25 million based on 2014 results).
The stolen data – which included names, dates of birth, email addresses and nationality – was offered for sale on the darkweb. A warrant for the arrest of the employee alleged to have stolen the data has been issued by Sussex Police.
The employee was able to exfiltrate the information from the company by sending bulk data reports to his personal email.
ICO director of investigations, Steve Eckersley, said: "Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it.
"Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them."
Sheldon Kenton, managing director of Bupa Global, said in a statement issued to customers in July 2017 that the information did not include any financial or medical information and was for customers of its international health insurance products.
Bupa said that the number of compromised policy records was 108,000 covering 547,000 people, some of whom were no longer customers of the company.
Bupa was alerted to the breach in June 2017 by a third party who saw the data for sale.
The ICO and Bupa have received 198 complaints about the incident.