Bupa suffers breach after employee removes sensitive customer data from systems

Global healthcare group Bupa has suffered a data breach at the hands of one of its employees. According to recent reports, it appears that an employee copied and subsequently removed information for 547,000 customers from an internal system.

The managing director of Bupa Global, Sheldon Kenton, said in a video:

“The data comes from one particular part of Bupa, Bupa Global, which handles international health insurance, mainly for people who work overseas or travel on a regular basis. To be clear, this does not affect Bupa’s other businesses, such as Bupa Australia, Bupa Chile and Bupa UK.”

He stated that none of the exposed data included medical or financial data. The data that was accessed included customers’ names, nationality and date of birth, as well as contact information that included membership numbers.

Kenton also said that the affected customers were being informed of the situation and apologised to. Additional security measures and heightened customer identity checks have been introduced to prevent further issues. The UK Financial Conduct Authority (FCA), as well as other regulators, have been informed and a thorough investigation will follow.

Kenton continued:

“Protecting the information we hold about our customers is an absolute priority and I would like to assure customers that we are treating this seriously and taking steps to address the situation.”

The employee responsible for the “deliberate act” has been dismissed and Bupa plans to take the appropriate legal action.

Customers who are concerned have been advised to contact Bupa directly, and have been warned to be vigilant with their personal data, as they are now at risk of receiving phishing emails or phone calls.

Educate your staff

Information security is critical within the business environment. Enrol your staff on our Information Security Staff Awareness E-Learning Course so that they gain a better understanding of what is expected of them.

Minimise the risk of human error by making sure non-technical staff are familiar with the basics of information security, including security threats via email, the Internet and in the workplace, but also introduce them to your policies on incident reporting and responses. Your staff are on the frontline: give them the awareness training they need.

Reduce your security risk exposure with information security staff awareness training >>

Protect your company

It is vital that organisations have the right security controls in place to prevent malicious attacks such as this. Lack of user access management could allow unauthorised staff access to highly sensitive customer information, which could then result in a data breach.

IT Governance offers a range of cyber security solutions. For more information, read our Cyber Testing Playbook.