Sensitive details of Bupa’s insurance customers breached by rogue employee
14 July 2017 |
Insurance firm Bupa has announced that one of its employees inappropriately copied and removed data belonging to 108,000 international health insurance customers.
Customers with local health insurance policies have not been affected by the breach, Bupa has confirmed.
In a press release, Bupa said that only 108,000 of its 1.4 million international health insurance customers were affected by the breach. The employee managed to obtain personal information of these customers but their medical and financial information is secure.
Data compromised by the employee includes names, dates of birth, nationality, membership numbers and some contact and administrative information. Bupa has also confirmed that the information has been shared with third parties.
'We are contacting those customers who are affected to apologise and advise them as we believe the information has been made available to other parties,' said Sheldon Kenton, Managing Director of Bupa Global.
'Protecting the information we hold about our customers is an absolute priority and I would like to assure customers that we are treating this seriously and taking steps to address the situation,' he added.
Bupa has authorised a thorough investigation on the data breach and has introduced additional security measures to prevent this from happening again. The said employee has been dismissed and legal action has been initiated.
Mark James, a security specialist at ESET, believes that even though medical and financial information hasn't been compromised, hackers can use available bits of information to build profiles for future phishing victims and try to use the information to lure customers to divulge further details. Hackers may also pose as companies to contact victims and pressure them to click on links or share additional information about themselves.
To prevent this from happening, companies should employ measures like 'Data Loss Prevention' to ensure customer data is safe and cannot be leaked by employees who handle such data.
'Unfortunately, there is no silver bullet solution to solve an employee error, but if companies take a layered approach that includes awareness and education alongside preventive and detective controls they will be much more secure,' said Darran Rolls, CISO & CTO at SailPoint.
Considering that placing excessive restrictions on access to the cloud may hamper the productivity of employees, companies can control critical data by taking a governance-based approach to identity and access management. There should be a balance between enhanced user access and new IT visibility and controls, he added.
Latest posts by Jay Jay (see all)
- Europol busts international e-commerce fraud ring, arrests 95 fraudsters - 22nd June 2018
- Infosec professionals believe nation-state attacks will rise this year - 22nd June 2018
- Flightradar24 data breach exposed email IDs & hashed passwords of 230,000 customers - 22nd June 2018
- Islington Council asked residents to share credit card details in plain text - 21st June 2018
- Cyber criminals leveraging fake Fortnite for Android apps to generate clicks - 21st June 2018