Bupa fined £175,000 for data breach


The Information Commissioner’s Office has fined Bupa £175,000 for “systemic data protection failures”.

A rogue employee took data from the insurer’s customer relationship management system between January and March 2017. They then offered for sale personal information belonging to 547,000 people, relating to 108,000 policyholders and beneficiaries, on the dark web. The system contained 1.5 million records in total.

The stolen information included names, dates of birth, email addresses and nationality.

An investigation by the commissioner found that Bupa had not been correctly monitoring its customer relationship management system’s activity log. The company was found to be unaware of a defect in its system and failed to detect unusual activity.

ICO director of investigations Steve Eckersley said: “Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it.

“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”

Had the incident occurred after General Data Protection Regulation came into play in May 2018, the insurer could have faced fines of up to £440m.

  • LinkedIn  
  • Save this article
  • Print this page  

You need to sign in to use this feature. If you don’t have an Insurance Post account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an indvidual account here: