Bupa employee steals information affecting 108,000 insurance plans

data security
"We have been made aware of an issue involving Bupa Global and are making enquiries,” said an Information Commissioner’s Office spokesperson

Bupa employee steals customer information, affecting more than 100,000 medical insurance plans

[London, UK] Private healthcare company Bupa has discovered an employee has interfered with more than 100,000 international medical insurance plans of customers.

The person has since been dismissed from their role, after not only copying, but also removing information from the company’s database.

In an email from Bupa Global’s Managing Director, Sheldon Kenton, posted on Twitter, customers are being informed that medical or financial data has not been stolen, with the employee only downloading names, birth dates or contact and administrative details.

In the document, Kenton adds: “Protecting the information we hold about you is our absolute priority, and I am sorry that this has happened. We are treating this seriously and taking steps to address this situation.

“This was not a cyber attack or external data security breach, but a deliberate act by the employee. We have introduced additional internal security measures and increased our customer identity checks.

“A thorough investigation is underway and we are taking appropriate legal action.”

ICO ‘making enquiries’

An Information Commissioner’s Office spokesperson said: "Organisations have a duty to protect people's privacy and personal data.

"We have been made aware of an issue involving Bupa Global and are making enquiries."

Commenting on the incident, Matthias Maier, Security Evangelist, Splunk, added: “This Bupa example has illustrated how insiders have the advantage - they are within the organisation and have access to the environment.

“No perimeter defense or rule-based system can be effective in detecting, let alone preventing, their malicious activity.

“As a result, insider threats are amongst the hardest to catch and most successful in exfiltrating valuable corporate and customer data.”