The Information Commissioners Office (ICO) has fined Bupa £175,000 for what it calls ‘systemic data protection failures’. The fine was imposed after Bupa reported that an employee had stolen data on 108,000 health policies. That data was later sold in the Dark Web. The stolen data affected 547,000 customers whose data was stored in SWAN, Bupa’s customer relationship management system.
ICO Director of Investigations, Steve Eckersley, said: “Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it.
“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”
Between 6 January and 11 March 2017 a Bupa employee stole data on 547,000 Bupa customers. The data was subsequently offered for sale on the Dark Web through the AlphaBay Market. The data was spotted and reported to Bupa. In July 2017 AlphaBay Market was shut down by law enforcement.
The advert for the data on AlphaBay read:
DB [database] full of 500k+ Medically insured persons info from a well-known international blue chip Medical Insurance Company. Data lists 122 countries with info per person consisting of Full name, Gender, DOB, Email Address plus Membership Details excluding CC Details.
Bupa has since said that no payment data or medical data was stolen as part of this breach.
Bupa was informed of the breach which led to customers and the ICO being informed. It also dismissed the employee and reported the matter to the police. Despite Sussex Police issuing a warrant for the arrest of the staff member, he remains at large.
According to Fouad Khalil, Head of Compliance, SecurityScorecard: “This scenario is very typical. We are witnessing organisations (even ones with process maturity) having implemented quick and ineffective controls in an effort to speedily claim compliance with GDPR and other privacy laws.
“The disgruntled employee seems to have had more access than his job role requires due to the sheer volume of data he allegedly stole.”
How did it happen?
Easily. The ICO investigation discovered that over 1,751 Bupa employees had access to the data stored in SWAN. 20 of those staff members had complete unfettered access to SWAN. They were allowed to search and run reports that could be downloaded onto local and personal drives.
The ICO says that the Bupa data controls meant that the SWAN activity log was not routinely monitored. The system that was in place was also unable to detect unusual activity including the bulk extraction of data. This allowed the employee to email the customer data to their personal email account.
This is not just a failure of SWAN. Organisations routinely use Data Loss Prevention solutions that identify, monitor and track the usage of sensitive data. Bupa had no such system in place at the time of the incident. If it had, it would have been able to track data such as policy numbers and date of birth. These would have immediately flagged up the data theft.
Why was the fine so low?
The ICO has fined Bupa £175,000. It says its investigation: “Revealed systemic failures in Bupa’s technical and organisational measures which also left 1.5 million records at risk for a long time.” The offence occurred in 2017 and the maximum penalty under the Data Protection Act is £500,000.
Given the ‘systemic failures’ and the fact the ICO said data was at risk for a ‘long time’ this seems a paltry fine. Both statements imply that a larger fine would have been more appropriate under the DPA. If the offence had occurred under the GDPR it is likely that the fine would have been several times higher.
What does this mean
It has taken a long time for the ICO to rule on this case. It shows how backed up the regulator is and the need for more resources. Bupa has had a lucky escape and has got off relatively lightly. It may be that the lack of payment or medical data in the stolen data set saved it.
This was not a quick hit and run by a hacker. It was a long term attempt to steal data by an employee with data access privileges. The ICO investigation did discover that there were instances of downloaded data by the employee going back to 2013. That data included payment data. The ICO investigation could not, however, show that the data was subsequently exfiltrated.
Employees with excess data privilege and systems that are poorly monitored are a recipe for data theft. As long as there is a market for data, people will steal it. Companies have to do a better job to detect the theft of data. In this case Bupa did nothing from 2013 until the offence came to light in 2017. It has not responded to an email about what actions it has taken since the offence took place.