A Bupa data breach has led to a significant fine from regulators in the sum of £175,000.00 after 198 complaints were made.
The breach period occurred between January and March 2017, meaning it has not attracted a GDPR fine. However, a large fine was levied because Bupa were found to have failed to take enough action to protect their customers’ data.
It has also transpired that customer data was vulnerable at the time of the initial data breach. This stemmed from a lack of monitoring of their customer relationship management system, known as SWAN.
What happened in the Bupa data breach?
The Bupa data breach was committed by an employee who has since been sacked and has had a warrant for his arrest issued by Sussex police.
The employee was able to bulk download a wealth of sensitive data about Bupa customers. This data was then sent to a personal address, where the employee then tried to sell it on the dark web.
Investigations by the ICO (Information Commissioner’s Office) found that Bupa was unaware of defects with their SWAN software that allowed such activity to take place. They were punished for failing to monitor data coming out of the system as well.
When you consider that this was a huge amount of data, it’s concerning that this transfer of data was not identified and stopped. When it’s an organisation who holds a lot of sensitive medical data, the breach is even more worrisome.
This kind of lack of care for data is what can lead to a data breach compensation claim.
What information was exposed in the Bupa data breach?
Sensitive and personal information was exposed in the Bupa data breach. This included:
- Dates of birth;
- Email addresses;
It was not until June 2017 that Bupa were alerted to the breach. A partner found the attempted sale of the data and raised the alarm.
198 complaints were made as a result of the breach.
What’s been said about the Bupa data breach?
Speaking about the Bupa data breach, Steve Eckersley of the ICO said:
“Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it. Our investigation found material inadequacies in the way Bupa safeguarded personal data.
The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with an * are required.