The UK's largest private health insurer BUPA has been breached, potentially exposing the data of over half a million customers. An insider is believed to have been at fault in leaking the records of 547,000 BUPA Global customers. Of those accounts, 43,000 are believed to be located in the UK.
Sheldon Kenton, managing director of BUPA Global, wrote to customers to say “some of your policy information has been inappropriately copied and removed from one of our systems by an employee who has subsequently been dismissed”.
The kinds of information exposed included names, email addresses, dates of birth and phone numbers but, said Kenton, no financial or medical data.
Kenton warned customers to be vigilant, as BUPA believes that the insider has made “the information available to other parties”.
“A thorough investigation is underway and we taking appropriate legal action,” concluded Kenton. The insurer has informed the relevant regulators, introduced internal security measures and increased customer identity checks.
Kenton also released a video directly addressing those affected, assuring customers that the breach only affected one part of BUPA's business.
Matthias Maier, security evangelist at Splunk, applauded BUPA's response: "This data breach at BUPA is an example of how to communicate a data breach to affected individuals and update them on its potential impact. As of May 2018 when GDPR comes into effect, we will see many more examples like this as it becomes a mandatory obligation.”
“The data breach that BUPA Global has suffered is a classic example of the ‘Insider Threat' and really highlights the fact that employees can still be an organisation's weakest link with regards to security,” David Kennerley, director of threat research at cybersecurity firm Webroot told SC Media UK. “An insider threat can be the disgruntled employee looking for revenge, notoriety or a desire to put the world to rights. In BUPA's case it looks like someone who was trying to make a quick buck selling data on to cyber-criminals.”
Insiders, accidental or malicious, loom large in the minds of infosecurity professionals. Verizon's Data Breach Investigations Report underlined the susceptibility of most organisations to this kind of threat. It revealed that 68 percent of healthcare breaches were caused by insiders, mostly for financial gain.
Research carried out by Kaspersky Lab and B2B International last year demonstrated that 28 percent of all cyber-attacks and 38 percent of all targeted attacks involved malicious activity by someone on the inside.