Brian Jackson - Fotolia
Bupa Global has warned that international health insurance customers may be targeted by cyber criminals using data stolen from the company.
The customer data was copied and removed by an employee and is believed to have been shared with third parties. The data includes names, dates of birth, nationalities, and some contact and administrative details, including Bupa insurance membership numbers.
However, the company said no financial or medical data is involved, and that the incident affected only some of Bupa Global division’s international health insurance customers.
They also confirmed that no customers of Bupa’s domestic health insurance businesses were affected and said all affected customers would be notified.
“Protecting the information we hold about our customers is an absolute priority,” said Sheldon Kenton, managing director of Bupa Global. “I would like to assure customers we are treating this seriously and taking steps to address the situation.”
“This was not a cyber attack or external data breach, but a deliberate act by an employee. We have introduced additional security measures and increased our customer identity checks.”
A thorough investigation is underway and the company has informed the FCA and Bupa’s other UK regulators. “The employee responsible has been dismissed and we are taking appropriate legal action,” said Kenton.
Read more about insider threats
- Organisations need to take insider threats more seriously, say security experts, as Sage warns that a data breach using an internal log-in may have compromised employee data at nearly 300 UK firms.
- Most organisations in Europe rely on outdated security technologies, exposing them to breaches by malicious or hapless insiders, a report reveals.
The company has provided guidelines for customers on how to avoid being tricked into handing over their details to scammers pretending to be representatives of Bupa, and said customers should always check on the sender of any messages or anyone calling before handing over details responding with any details.
Customers should be suspicious of anyone who asks for bank account or credit card details, double-check email addresses, and refuse to download any software or allow anyone log on to their computer or device remotely.
Mark James, security specialist at Eset, said that while employees who handle valuable information are trusted to keep it safe, organisations should ensure they have systems in place to keep data safe.
He also warned that the data potentially shared with third parties could be used to craft credible emails aimed at manipulating recipients.
James commended Bupa for the guidelines provided to customers. “They are fully aware of the problems these breaches cause and seem to be doing all the right things, such as notifying the affected parties and providing as much information as possible via a web page and video,” he said.