Bupa fined £175,000 for systemic data protection failures
Bupa Insurance Services Limited (Bupa) has been fined £175,000 by the Information Commissioner’s Office (ICO) for failing to have effective security measures in place to protect customers’ personal information.
Between 6 January and 11 March 2017, a Bupa employee was able to extract the personal information of 547,000 Bupa Global customers and offer it for sale on the dark web. The employee accessed the information via Bupa’s customer relationship management system, known as SWAN. The system holds customer records relating to 1.5 million people.
The employee sent bulk data reports to his personal email account. The compromised information, which included names, dates of birth, email addresses and nationality, was later offered for sale on the dark web.