UK-based healthcare firm Bupa was fined £175,000 ($228,300) after customer data ended up for sale on the dark web.

The Information Commissioner’s Office (ICO) delivered the fine for failing to have effective security measures.

Security lapses

A Bupa employee was able to extract the information of 547,000 customers between January and March 2017. Furthermore, the employee then offered the data for sale on the dark web. In addition, the compromised information included names, dates-of-birth, email addresses, and nationality.

The breach was discovered by Bupa in June 2017 by an external partner who saw the data up for sale. Overall, 198 complaints were sent to the healthcare company and to the ICO. Following the reveal, the employee was arrested.

The ICO’s investigation found that, at the time, Bupa did not routinely monitor activity logs. Therefore, the firm was unaware of a defect in the system and was unable to detect unusual activity, such as bulk extractions of data. Failing to keep personal data secure is a breach of the Data Protection Act 1998.

It revealed systemic failures in Bupa’s technical and organisational measures which also left 1.5 million records at risk for a long time.

ICO Director of Investigations, Steve Eckersley, said: “Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it.

“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”