The UK's Information Commissioner’s Office (ICO) has fined Bupa Insurance Services £175,000, after failing to put effective security measures to protect about 547,000 customers’ personal information.


(Credit: Bupa)

As per the watchdog, one of the company’s employees was able to extract the personal information of more than 500,000 Bupa Global customers including names, dates of birth, email addresses and nationality from the company’s database and offered it for sale on the dark web.

It happened between January and March last year. The employee was able to get hold of the information via Bupa’s customer relationship management system SWAN, where records relating to 1.5 million customers are stored. The employee sent bulk reports to his personal email account, to be sold later.

ICO investigations director Steve Eckersley said: “Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it. Our investigation found material inadequacies in the way Bupa safeguarded personal data.

”The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”

The insurance company was alerted about the breach in June last year, when an external partner customer data for sale.

Bupa and the ICO received 198 complaints about this incident. The employee was dismissed and the Sussex Police issued a warrant for his arrest, the agency stated.

ICO stated that its investigation found that during the time, Bupa did not monitor SWAN’s activity log routinely. It was also unaware of a defect in the system and was unable to detect any unusual activity as well including bulk extraction of data.

Failure to keep personal data secure is a breach of the Data Protection Act 1998, the ICO said.

As per the investigation, Bupa failed to take technical and organisation measures which had put records of 1.5 million customers at risk for a long time.

The ICO stated that the investigation was conducted under the provisions of the Data Protection Act 1998 and not the General Data Protection Regulation and 2018 Act which replaced it in May this year.