Bupa was fined £175,000 due to the ineffective security measures that Bupa had in place to protect its customer's personal information.
The incident took place last year and resulted in the personal information of 547,000 Bupa Global customers being offered for sale on the dark web. The information was accessed via the customer relationship management system that Bupa used, SWAN. This system holds the records of 1.5 million customers. An employee accessed the information through SWAN and sent bulk data reports to his personal email account. Types of information that was accessed included names, dates of birth, email addresses and nationality, and these were later advertised for sale on the dark web.
The breach became known to Bupa on 16 June 2017 when an external partner spotted that customer data was for sale. There have since been 198 complaints about the incident to both the ICO and Bupa.
The ICO found a number of failings by Bupa, including the fact that Bupa did not routinely monitor SWAN's activity log, which meant that Bupa was unaware of a defect in the system and could not identify unusual activity.
It is also worth noting that although the Bupa breach was the result of a rogue employee, because Bupa did not have adequate measures in place they have been subject to enforcement action.
Not long after the Bupa fine was issued, the ICO issued a further fine of £120,000 to HAL for failings in relation to network security.
This related to a memory stick containing 76 HAL folders and over 1,000 files which was not encrypted. A member of the public viewed the information at a local library and found a small amount of personal information, including a training video which exposed ten individuals' details including: names, dates of birth, passport numbers, and the details of up to 50 HAL aviation security personnel. The stick was then passed to a national newspaper, where copies were made, before the stick was returned to HAL.
During its investigation, the ICO found that only two percent of a 6,500 strong workforce had received data protection training. The use of the memory stick was in contravention of HAL's own policies and guidance. There were also ineffective technical controls to prevent personal data from being downloaded onto unauthorised or unencrypted media.
Failing to put adequate security measures in place can have severe consequences. Schools should consider the following: