What Can We Learn from the Bupa Data Breach?

Posted on 29 November 2018

Narrowly escaping punishment under the newly introduced GDPR guidelines, Bupa faced a close call over its data breach. Despite happening in 2017, this breach still makes headlines, and is regularly brought back into the spotlight. What’s positive, though, is that Bupa have clearly learned from their mistakes. Here’s what you can learn from them too.


Did you know that many businesses consider themselves untouchable or undesirable when it comes to data breaches; they consider themselves too big, too small, too important, or even too well-protected. You might even feel that way about your own business.

The truth, however, is that all it takes is for you to store or process any kind of data to be at risk from cyberattacks, viruses, and unscrupulous employee dealings; Bupa discovered this first hand.

As a leading health insurer, Bupa holds a bevy of customer details, including identifiable information, as well as payment details – making their cache of data valuable to all the wrong people. What they didn’t count on, however, was that the threat would be from within.


How Bupa Came Under Fire

Although a real media storm happened in early October 2019 when the ICO levied a £175,000 fine at Bupa, the actual breach took place earlier, between January 6th and March 11th 2017.

A disgruntled employee – who continues to remain unnamed – exported roughly 547,000 records, before sending them to a personal email account, and attempting to sell them on the Dark Web. In June 2017, an external partner noticed the data for sale, notified Bupa, and the firm immediately began damage control.

A hundred and ninety-eight customer complaints, an arrest warrant, and a sizeable fine later, Bupa has found itself learning some hard lessons from the whole debacle. Addressing the scandal, a Bupa Global spokesperson said the insurer had accepted the ICO’s decision “and have cooperated fully with its investigation”, taking the crisis in its stride.


What can we Learn?

Of course, somebody else’s well-publicised misfortune can also be an opportunity for other businesses to learn a valuable lesson, avoiding the mistakes others have made, and better-preparing for the future.

So, what can we learn from this incident?

1. Sometimes, the Threat Comes from Within

No employer wants to suspect that trusted members of their team could do something as vindictive as purposely stealing or leaking valuable information – and more often than not, they’re right to think so. Yes, it happens on occasion, but not as often as headlines might have you think.

Where the real internal threat lies, is in accidental breaches through carelessness, lost devices, passwords scribbled down on post-it notes, and other unsuspecting yet devastating oversights.

Businesses need to consider the accidental risk their employees pose when it comes to things like remote working, weak passwords, and sharing confidential documents with personal email addresses. Working to plug any holes left by employee accidents – such as using Microsoft 365 AIP to keep information strictly under control from device to device – is a key first step to combating internal threats.

2. JML Processes are Essential

The Joiner/Mover/Leaver process is a common process in business, defining the on-boarding practices for new staff, handles promotions, and deals with employees leaving the organisation.

For many, this remains a manual process, doubling down on the time, resources, and effort it takes to ensure everybody has the right access to the right resources at the right time.

Although the Bupa data breach involved somebody already in their employ, the story nevertheless presents the perfect opportunity to consider how your JML process is structured. Are former employees still able to access sensitive information days, weeks, or even months after they leave? Can joiners get stuck in on day one with the right permissions? Are employees climbing the career ladder carrying additional access rights with them?

Automating the JML process can iron out many of these issues without a second thought, ensuring that wherever in their career an employee currently is, they only have access to what they need.

 3. Monitor, Update, Repeat

After the Bupa data breach was exposed, investigators were swift in narrowing down how it had been possible in the first place. It transpired that a defect in the relationship management tool, SWAN, had allowed the employee to steal the data. During their investigation, the ICO discovered that Bupa did not routinely monitor SWAN, and so were unaware of the defect.

For those of you who followed the WannaCry saga, this might sound a little too familiar. The ransomware terrorised the NHS in 2017, with its attack made possible by legacy systems not being updated. In the process, NHS trusts using an older version of Windows without support missed crucial security patches, leaving themselves at risk. The cost of WannaCry came to almost £100million – and it served as a hard lesson for the public sector.

From both of these incidents, we can take away a simple lesson: monitor your software, tools, and systems, update them regularly, and keep repeating that step.

In some instances, this might mean running an audit of current identity and access management processes (such as JML), and then adapting to your findings. Prevention is always better than cure, and it’s a lot easier to prepare for a data breach than to react to one.

4. Admit Mistakes and Improve

Finally, there’s a valuable life lesson to take from Bupa’s misfortune: admit your mistakes and improve.

Since the breach, Bupa’s spokesperson has gone on to reiterate how they ”take [their] responsibility for protecting customer information very seriously”, and outlined how they have since “introduced additional security measures to help prevent the recurrence of such an incident, reinforced our internal controls and increased our customer checks.”

Humble acknowledgement of what went wrong and the willingness to improve on mistakes is absolutely key – and it’s a lesson that can serve us all well in both life and business.

Have the recent data breaches hitting the headlines spurred you on to tackle your business’ data security? Still struggling with manual JML processes weighing your HR department down? We can help – simply get in touch, or feel free to explore our website.

A few people we've already done it for