Recently the international healthcare group Bupa was hit by a malicious act in its UK office, which compromised the personal data of almost 20,000 Australian customers, such as their names, dates of birth, nationality, phone numbers, email addresses and administrative information. It is estimated 108,000 international customer records are affected. However, the financial details and medical information of policy holders was not compromised.
For more information about whether or not you are affected by Bupa’s data breach, check out their customer update.
Who Is Affected?
According to Bupa, not all of its 1.4 million international customers are affected. A Bupa Australian spokesperson said that among the 547,000 customers affected worldwide, 19,595 were believed to be Australians. Those who are affected will be contacted by BUPA, and informed that their information has been made available to other parties. In a customer update, Bupa revealed some of the affected policyholders are:
- Customers with international private health insurance;
- Customers with a policy number that begins with ‘BI’; and
- Former customers.
Fortunately, customers with local (domestic) health insurance were unaffected.
Managing Director of Bupa Global Sheldon Kenton said in its breach notification statement, a rogue employee from its international health insurance division “inappropriately copied and removed some customer information from the company”. Mr Kenton said the breach was “not a result of a cyber attack or external data breach, but a deliberate act by an employee”. After Bupa discovered the culprit, the employee was immediately dismissed, and Bupa is in the process of commencing appropriate legal action. Further, the matter was referred to the police for investigation.
There have been arguments made about how Bupa and other companies will tackle data security breaches in future. Security specialist at cybersecurity firm ESET Mark James argued the breach exposes Bupa customers to the risk of more convincing phishing scams that might be crafted using the leaked data. In contrast, The Register writer John Leyden said security measures such as data loss protection should be implemented and properly configured, in order to prevent data from being leaked or stolen. If Bupa had carried out changes to the previous security measures, then a rogue employee would be unable to upload sensitive information onto the internet. Mr Leyden said solutions such as health insurance providers disabling USB ports may work in the short-term, but it can be bypassed by more “stealthy data extraction methods”.
Moreover, senior security researcher at cybersecurity firm Lastline Marco Cova said the data revealed from the breach is “the type criminals can use to launch additional attacks”. Mr Cova explained criminals can merge data from multiple sources, building dossiers on potential victims. The information does not have to be highly confidential to create successful attacks. In fact, data breaches provide a distribution hub for malware.
While considering the various arguments, Bupa expressed protecting customer information is an absolute priority, and will be taking steps to address the situation. The company has apologised and assured its customers it is in the process of introducing additional security controls and customer identity checks. Customers are advised to remain vigilant, particularly if anyone contacts them via phone or email pretending to be the healthcare group with the intention of scamming them.
Let us know your thoughts on Bupa’s data breaches by tagging us at #lawpath or @lawpath.