Bupa fined over theft of customer data
BUPA, the healthcare group, has been fined £175,000 for a “systematic data protection failure” after an employee stole thousands of customers’ data and offered it for sale on the dark web.
The breach, which happened between January and March 2017, affected 547,000 Bupa Global customers, who were not informed until two months after the incident. The Information Commissioner’s Office (ICO) said it had discovered technical and organisational failures at Bupa that left 1.5 million records at risk for a long time.
The ICO’S investigation revealed the healthcare insurer did not routinely monitor the information on SWAN, Bupa’s customer relationship management system, and was “unable to detect unusual activity, such as bulk extractions of data”. The employee copied the information on SWAN, deleted it from the company’s database and then tried to sell it on the dark web.
Due to the timings of the breach, Bupa has not been subjected to the new data protection fines under GDPR, which could have forced the company to pay up to £17million or 4 per cent of its global turnover.
A spokesman for Bupa Global said: “We accept this decision by the ICO and have cooperated fully with its investigation.”