Data Breach , Fraud , Insider Fraud

Insurer Bupa Blames Breach on Rogue Employee

Breach Affects 500,000 Customers With International Health Insurance Policies
Insurer Bupa Blames Breach on Rogue Employee
Sheldon Kenton, managing director of Bupa Global, blames breach on former employee.

London-based health insurer Bupa Global is warning international policyholders that about 108,000 policies were exposed in a data breach.

See Also: True Business Costs & Risks in Underfunding Healthcare Cybersecurity

The breach exposed names, dates of birth, nationalities, as well as some contact and administrative details for 547,000 of the company's 1.4 million international health insurance customers, it says.

"We recently discovered an employee had taken some customer information from one of our systems," Sheldon Kenton, managing director of Bupa Global, says in the company's data breach notification to customers, posted online. "The information that has been taken does not include any financial or medical information."

Bupa Group, formerly known as Bupa International, is the international health insurance division of Bupa, which also runs care homes, health centers, a London hospital and dental centers. Bupa has 32 million customers across 190 countries, including 2.7 million customers of its personal, family and company health insurance plans in the United Kingdom.

Sheldon Kenton, managing director of Bupa Global, details the breach, scope and related investigation.

The insurer emphasized that only international insurance policyholders were affected by the breach. Such policies are often obtained when people work or travel overseas. The insurer says domestic policyholders - including in Australia, Chile and the United Kingdom - were not affected by the breach, nor were any users of its other business groups.

But 43,000 people affected by the breach have a correspondence address in the United Kingdom, the BBC reports.

"I want to personally apologize and let you know we're getting in touch with potentially affected customers," Kenton adds. "We have introduced additional security measures and a thorough investigation is underway."

Bupa couldn't be immediately reached for comment about how many individuals were affected in other geographies or how it's notifying breach victims.

Breach Traces to Now-Former Employee

In a statement, the insurer says that the data was not exposed as a result of "a deliberate act by an employee. The employee responsible has been dismissed and we are taking appropriate legal action." It says the former employee worked in the Bupa Global international health insurance division.

The company says that it has "introduced additional security measures and increased our customer identity checks" and informed the relevant authorities.

"A thorough investigation is under way and we have informed the FCA [Financial Conduct Authority] and Bupa's other U.K. regulators," Kenton says.

Britain's privacy watchdog, the Information Commissioner's Office, says it's aware of the breach and making related inquiries.

Stolen Data Advertised on AlphaBay

Bupa notes that the breach in question is the same one that some news reports suggested encompassed 1 million records. "We are aware of a report that suggests that on 23rd June 2017, 'a former employee claimed to have 1 million records for sale.' Our thorough investigation established that 108,000 policies, covering 547,000 customers, had been copied and removed," it says in a supplementary online statement. "The disparity in numbers claimed and those taken, relates to duplicate copies of some records."

A listing for stolen Bupa data was clocked on June 23 by Dissent, the administrator behind breach-tracking site Databreaches.net. On the darknet marketplace AlphaBay, a vendor using the moniker "MoZeal" offered to sell insurance information relating to individuals located across 122 countries.

Source: Dissent

AlphaBay, however, has been offline since July 5, following raids as part of a joint U.S., Canadian and Thai investigation (see Darknet Marketplace AlphaBay Offline Following Raids).

Executive Editor Marianne Kolbasuk McGee contributed to this story.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network