Insurance firm Bupa has announced that one of its employees inappropriately copied and removed data belonging to 108,000 international health insurance customers.
Customers with local health insurance policies have not been affected by the breach, Bupa has confirmed.
In a press release, Bupa said that only 108,000 of its 1.4 million international health insurance customers were affected by the breach. The employee managed to obtain personal information of these customers but their medical and financial information is secure.
Major AA data breach compromised personal details of 117,000 customers
Data compromised by the employee includes names, dates of birth, nationality, membership numbers and some contact and administrative information. Bupa has also confirmed that the information has been shared with third parties.
'We are contacting those customers who are affected to apologise and advise them as we believe the information has been made available to other parties,' said Sheldon Kenton, Managing Director of Bupa Global.
'Protecting the information we hold about our customers is an absolute priority and I would like to assure customers that we are treating this seriously and taking steps to address the situation,' he added.
Global businesses facing cyber-attacks thanks to unregulated insider access
Bupa has authorised a thorough investigation on the data breach and has introduced additional security measures to prevent this from happening again. The said employee has been dismissed and legal action has been initiated.
Mark James, a security specialist at ESET, believes that even though medical and financial information hasn't been compromised, hackers can use available bits of information to build profiles for future phishing victims and try to use the information to lure customers to divulge further details. Hackers may also pose as companies to contact victims and pressure them to click on links or share additional information about themselves.
To prevent this from happening, companies should employ measures like 'Data Loss Prevention' to ensure customer data is safe and cannot be leaked by employees who handle such data.
Did Wetherspoons delete all customer data for fear of GDPR's imminent arrival?
'Unfortunately, there is no silver bullet solution to solve an employee error, but if companies take a layered approach that includes awareness and education alongside preventive and detective controls they will be much more secure,' said Darran Rolls, CISO & CTO at SailPoint.
Considering that placing excessive restrictions on access to the cloud may hamper the productivity of employees, companies can control critical data by taking a governance-based approach to identity and access management. There should be a balance between enhanced user access and new IT visibility and controls, he added.