A UK firm that specializes in offering health care insurance to a global client base was subjected to a £175,000 fine by the Information Commissioner’s Office (ICO) of the United Kingdom. ICO fined the firm as a punishment for its failure to put measures in place to adequately protect the personal information of its clients. The firm was found guilty after a former employee stole credentials of over 500,000 clients and turned to the dark web where he put it up for sale.
According to ICO Bupa Insurance Services Limited, an international health provider firm failed to monitor the login activity to its data storage system. The failure made it possible for the employee to steal details of insurance policies belonging to 547,000 clients. All details were sent to his email between January and March 2017. After stealing the data, the employee opened a vendor’s account in the now-defunct AlphaBay marketplace where he offered to sell the data.
The employee went by the vendor name MoZeal and claimed to have insurance information from 1,222 countries for sale. The vendor went ahead to claim that he was selling exclusive information as he was the only one who had access to the information he had put up.
The employee claimed he had up to one million credentials up for sale of which 130,000 belonged to UK based clients. The data had personal information such as full name, DOB, Gender, Email address and membership details. The employee, however, did not expose the financial information of the clients.
On learning of the data breach, Bupa made an announcement claiming that 108,000 international policies had been exposed. The firm then sent an email to its affected clients that acknowledged that their personal details and other sensitive information had been compromised. The email also reassured the clients that their financial and medical information had not been exposed. Bupa later released a statement that claimed the 108,000 policies were tied to 547,000 customers. The statement also argued that the employee had more than one copy of some policies making his claim that he had one million records for sale.
Bupa ultimately fired the employee and pressed charges against him. An arrest warrant was later issued against the employee. The number of policies the employee had managed to sell was not determined as AlphaBay was shut down before such details could be uncovered.
ICO imposed the fine on Bupa after its investigations, led by ICO’s Director of Investigations Steve Eckersley, revealed that Bupa had failed to protect the personal data of its clients adequately. According to Eckersley, Bupa’s data storage had systematic vulnerabilities that were not watched for carefully. According to ICO, Bupa did not give a good reason for its failure to properly secure clients’ sensitive information.
Bupa’s failure to adequately secure clients’ data left over 1.5 million policy records at risk of exposure. The vulnerabilities in Bupa’s system made it possible for the client to easily transfer records without raising any alarms. The initial breach resulted in 198 complaints by clients to both Bupa and ICO.
Since the breach took place in 2017 Bupa was fined as per the provisions of the Data Protection Act 1998. Had the breached occurred after the General Data Protection and Regulation Act 2018 passed, the punishment may have been more severe.
A statement released by Bupa showed that the firm had accepted the imposed fine and that it had fully cooperated with ICO during the investigation. The firm also claimed to have put in place additional measures to ensure their customers’ data would remain protected against future attacks.
ICO also fined Yahoo! UK £250,000 in May in relation to the 2014 data breach. The breach compromised 500 million Yahoo users. Yahoo only made the breach public in 2016 approximately two years later. ICO imposed the fine on Yahoo while focusing on 515,121 accounts that belonged to UK users.