ICO fines Bupa £175,000 for failing to prevent 2016 data breach
8 October 2018
The Information Commissioner’s Office (ICO) recently issued a penalty of £175,000 to health insurance company Bupa for failing to prevent a massive data breach last year that compromised personal information of up to 108,000 international health insurance customers.
The breach took place when a malicious employee at Bupa gained access to the company’s customer relationship management system (“SWAN”) that stored personal information of 1.5 million customers, misused his privileged access to steal data of 108,000 customers and then put up the data for sale on the dark web.
Personal data of subscribers to Bupa’s health insurance schemes compromised by the employee included names, dates of birth, nationality, membership numbers, email addresses, phone and fax numbers, and some contact and administrative information. Bupa had authorised 20 users working in its Partnership Advisory Team and 1,351 other users to access the SWAN database based on their respective business functions.
Bupa’s lack of access controls allowed insider access
While announcing a £175,000 penalty on Bupa under the 1998 Data Protection Act, the ICO noted that Bupa ” failed to take appropriate technical and organisational measures against unauthorised and unlawful processing of the personal data which was accessible through SWAN”.
When privileged access rights are assigned by an organisation to hundreds of employees, it is natural to expect the organisation to monitor how customer data is being accessed by the said employees under information governance practices. However, the ICO found that Bupa did not routinely monitor SWAN’s activity log and thereby failed to detect the bulk extraction of customer data from the database.
“It did not undertake any adequate risk assessment of those features of SWAN. That was a material organisational inadequacy, given the volume of personal data accessible through SWAN, the number of data subjects involved, the number of individuals with access to SWAN, and the ease with which they could access it.
“20 PAT members were also able to make searches, view large numbers of customer records at a time and export data to separate applications and files including file sharing platforms and social media. Those capabilities facílitated potential large-scale misuse of the relevant personal data over a short períod of time. There was no adequate justification for those capabilities,” the ICO said.
It added that such oversight took place even though Bupa knew that there was a risk of contravention that could cause substantial damage or distress, and that there was a chance of unauthorised use of customer data accessed through SWAN. Even though the company had ample opportunity over a long period of time to implement appropriate technical and organisational measures in respect of SWAN, it did not do so adequately.
Bupa came to know about the breach on 16th June last year when an external partner informed the company that the stolen customer data was put up on sale on AlphaBay Market that could be accessed via Tor.
“Unfortunately, there is no silver bullet solution to solve an employee error, but if companies take a layered approach that includes awareness and education alongside preventive and detective controls they will be much more secure,’ said Darran Rolls, CISO & CTO at SailPoint.
Considering that placing excessive restrictions on access to the cloud may hamper the productivity of employees, companies can control critical data by taking a governance-based approach to identity and access management. There should be a balance between enhanced user access and new IT visibility and controls, he added.