The ICO has fined Bupa Insurance Services Ltd (Bupa) £175,000 for failing to have effective security measures in place to protect customers’ personal information.
The data breach was discovered in June 2017 when customer data was being offered for sale on the dark web.
The report found that a rogue employee, one of 20 employees with enhanced privileges, was able to generate bulk data reports from the client management system. The reports comprised over 500k of customer data including full name, gender, date of birth, email address and membership details. This data was then attached to a series of six emails and sent to his personal account.
The Commissioner’s Investigation – risk assessment
The Commissioners found that their was “a material organisational inadequacy, given the volume of personal data accessible…, the number of data subjects involved, and the ease with which they could access it” The Commissioner reported that Bupa did not undertake any adequate risk assessment of the access rights for the client management system.
It was also found that the 20 users with escalated privileges were able to “make searches, view large number of customer data at a time and export data to separate applications and files including file sharing platforms and social media. Those capabilities facilitated potential large-scale misuse of the relevant personal data over a short period of time. There was any adequate justification for those capabilities”
Failure to monitor activity log
The data controller failed to monitor it’s activity log (which was defective – and the defect was not discovered). This meant that they were not able to check for activities such as bulk extractions of data which would have alerted them to the unauthorised activity.
..likely to cause substantial damage or distress
The information taken could have helped scammers to defraud the data subjects including tricking them into disclosing their bank details, potentially leading to financial loss or their accounts used for money laundering. The fact that their data may have been stolen or misused could also cause substantial distress to the data subjects because of the uncertainty about how this could adversely affect them.
Appropriate technical and organisational controls
The Commissioner stated that the data controller failed to undertake an adequate risk assessment and failed to monitor its activity log despite having ample opportunity over a long period of time to implement adequate appropriate technical and organisational controls.
“..this is an opportunity to remind data controllers to ensure appropriate and effective security measures are applied to personal data.”
Risk assessments, monitoring and access controls
Restricting access to systems to the minimum needed to carry out the business function is really important, but carrying out a risk assessment to look at possible opportunities for loss of data confidentiality, integrity or availability should be part of normal business processes. Active monitoring of logs for unusual activity provides an early warning system and an opportunity to identify and respond to threats.