Fraud Management & Cybercrime , Governance & Risk Management , Incident & Breach Response
Insurer Bupa Blames Breach on Rogue Employee
Breach Affects 500,000 Customers With International Health Insurance Policies
London-based health insurer Bupa Global is warning international policyholders that about 108,000 policies were exposed in a data breach.
See Also: Fighting Machine-Speed Attacks With Autonomous Response
The breach exposed names, dates of birth, nationalities, as well as some contact and administrative details for 547,000 of the company's 1.4 million international health insurance customers, it says.
"We recently discovered an employee had taken some customer information from one of our systems," Sheldon Kenton, managing director of Bupa Global, says in the company's data breach notification to customers, posted online. "The information that has been taken does not include any financial or medical information."
Bupa Group, formerly known as Bupa International, is the international health insurance division of Bupa, which also runs care homes, health centers, a London hospital and dental centers. Bupa has 32 million customers across 190 countries, including 2.7 million customers of its personal, family and company health insurance plans in the United Kingdom.
The insurer emphasized that only international insurance policyholders were affected by the breach. Such policies are often obtained when people work or travel overseas. The insurer says domestic policyholders - including in Australia, Chile and the United Kingdom - were not affected by the breach, nor were any users of its other business groups.
But 43,000 people affected by the breach have a correspondence address in the United Kingdom, the BBC reports.
"I want to personally apologize and let you know we're getting in touch with potentially affected customers," Kenton adds. "We have introduced additional security measures and a thorough investigation is underway."
Bupa couldn't be immediately reached for comment about how many individuals were affected in other geographies or how it's notifying breach victims.
Breach Traces to Now-Former Employee
In a statement, the insurer says that the data was not exposed as a result of "a deliberate act by an employee. The employee responsible has been dismissed and we are taking appropriate legal action." It says the former employee worked in the Bupa Global international health insurance division.
The company says that it has "introduced additional security measures and increased our customer identity checks" and informed the relevant authorities.
"A thorough investigation is under way and we have informed the FCA [Financial Conduct Authority] and Bupa's other U.K. regulators," Kenton says.
Britain's privacy watchdog, the Information Commissioner's Office, says it's aware of the breach and making related inquiries.
Stolen Data Advertised on AlphaBay
Bupa notes that the breach in question is the same one that some news reports suggested encompassed 1 million records. "We are aware of a report that suggests that on 23rd June 2017, 'a former employee claimed to have 1 million records for sale.' Our thorough investigation established that 108,000 policies, covering 547,000 customers, had been copied and removed," it says in a supplementary online statement. "The disparity in numbers claimed and those taken, relates to duplicate copies of some records."
A listing for stolen Bupa data was clocked on June 23 by Dissent, the administrator behind breach-tracking site Databreaches.net. On the darknet marketplace AlphaBay, a vendor using the moniker "MoZeal" offered to sell insurance information relating to individuals located across 122 countries.
AlphaBay, however, has been offline since July 5, following raids as part of a joint U.S., Canadian and Thai investigation (see Darknet Marketplace AlphaBay Offline Following Raids).
Executive Editor Marianne Kolbasuk McGee contributed to this story.
