Insurance Company Bupa has been fined £175,000 after an employee offered personal data of 547,000 customers for sale on the Dark Web.

In particular, these details included names, dates of birth, email addresses and nationality accessed by employee who then attempted to sell them.

The Information Commissioner’s Office (ICO) fined the insurer for failing to have effective security measures in place to protect customers’ personal information. In this unfortunate scenario, the employee accessed the information between 6 January and 11 March 2017 via Bupa’s customer relationship management system, which holds customer records relating to 1.5 million people. In addition, the employee sent bulk data reports, including names, dates of birth, email addresses and nationality, to his personal email account before the data was put up for sale online.

ICO director of investigations, Steve Eckersley, said; “Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it.” An investigation revealed “systemic inadequacies” in Bupa’s safeguarding of personal data and showed that these failures had “gone unchecked for a long time,” Mr Eckersley added. Failing to keep personal data secure is a breach of the Data Protection Act 1998. Bupa was alerted to the breach on 16 June 2017 by an external partner who spotted customer data for sale. In total, Bupa and the ICO received 198 complaints about the incident. And as a result, the rogue employee was dismissed and Sussex Police issued a warrant for his arrest.

A spokesperson for Bupa Global said; “We accept this decision by the ICO and have co-operated fully with its investigation. We take our responsibility for protecting customer information very seriously. We have since introduced additional security measures to help prevent the recurrence of such an incident, reinforced our internal controls and increased our customer checks.”

Written by Jedidajah Otte – The Independent – September 2018

Read the original article here.