The Information Commissioner’s Office has fined Bupa £175,000 for “systemic data protection failures”.
A rogue employee took data from the insurer’s customer relationship management system between January and March 2017. They then offered for sale personal information belonging to 547,000 people, relating to 108,000 policyholders and beneficiaries, on the dark web. The system contained 1.5 million records in total.
The stolen information included names, dates of birth, email addresses and nationality.
An investigation by the commissioner found that Bupa had not been correctly monitoring its customer relationship management system’s activity log. The company was found to be unaware of a defect in its system and failed to detect unusual activity.
ICO director of investigations Steve Eckersley said: “Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it.
“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”
- Analysis: The mystery of the missing Insurance Fraud Taskforce report
- Green light for UK-US insurance trade deal
- Roundtable: Is a single customer view taking off in insurance?
- Travel insurtech Pluto begins beta test
- O’Connor replaces Fairchild at the helm of Broker Network
- Blog: What workplace inequality means for insurers
- Majority of customers support a ban on dual pricing