UK-based healthcare firm Bupa was fined £175,000 ($228,300) after customer data ended up for sale on the dark web.

The Information Commissioner’s Office (ICO) delivered the fine for failing to have effective security measures.

Security lapses

A Bupa employee was able to extract the information of 547,000 customers between January and March 2017. Furthermore, the employee then offered the data for sale on the dark web. In addition, the compromised information included names, dates-of-birth, email addresses, and nationality.

The breach was discovered by Bupa in June 2017 by an external partner who saw the data up for sale. Overall, 198 complaints were sent to the healthcare company and to the ICO. Following the reveal, the employee was arrested.

The ICO’s investigation found that, at the time, Bupa did not routinely monitor activity logs. Therefore, the firm was unaware of a defect in the system and was unable to detect unusual activity, such as bulk extractions of data. Failing to keep personal data secure is a breach of the Data Protection Act 1998.

It revealed systemic failures in Bupa’s technical and organisational measures which also left 1.5 million records at risk for a long time.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

ICO Director of Investigations, Steve Eckersley, said: “Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it.

“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”