An insider sifts through 108,000 client files. What can go wrong?

创业投资 CSOONLINE (源链)

In a succinct statement, the managing director of Bupa Global, Sheldon Kenton, explains how Bupa Global recently discovered an employee had “inappropriately copied and removed some customer information from the company. Around 108,000 international health insurance policies are affected.”

Bupa has approximately 1.4 million international health insurance policies (16.5 million total policies), so the employee only managed to visit the policiess of approximately 8 percent of Bupa’s international health insurance policy holders. The 108,000 policies affected 547,000 individuals . The client data compromised included:

  • Names
  • Date of birth
  • Nationalities
  • Contact information
  • “Administrative materials”
  • Bupa customer numbers

Kenton continues that while the information was accessed and copied, none of the information was deleted from the system. Furthermore, Bupa believes the compromised information did not include client financial or medical data.

No accident: Trusted insider acted deliberately

To their credit, Bupa calls it like it is in their statement: This was a trusted insider who broke trust and acted in a deliberate manner:

This was not a cyber attack or external data breach, but a deliberate act by an employee. We have introduced additional security measures and increased our customer identity checks. A thorough investigation is underway and we have informed the FCA and Bupa’s other UK regulators. The employee responsible has been dismissed and we are taking appropriate legal action.

Backups are important

A salient point to Bupa’s statement is the employee’s attempt to remove the data from Bupa. While the employee may have been successful, Bupa is unequiviocal that no client data was deleted. Therefore, we may presume the existence of multiple iterations of backup copies to the data base being harvested.

Trust but verify

An additional indicator that Bupa understands the magnitude of what transpired, as they evolve their internal policies, is this statement, “We have introduced additional security measures and increased our customer identity checks.”

As every CISO knows, trust those who have access to the data, but verify they access only that data to which they have a need.

Least privileged access

The doctrine of need to know or least privileged access serves to reduce the risk that data is being accessed as part of a farming exercise by a curious or malevolent employee. By assuring your employee has access to the information they need to do their job and the ability to audit it is being accessed for bona fide purposes, you project a secure environment.

Bupa customers should be hyper-alert

The 549,000 individuals whose information was compromised need to remain hyper-alert to criminals attempting to capitalize on the client information. The information can be used to create phishing emails to spoof not only Bupa, but any number of entities, which by including the identifying information taken from Bupa, might induce an individual to “click” a link within an email.


Christopher Burgess is an advocate for effective security strategies, be they at the office or home for you and your family. Christopher, served 30+ years within the Central Intelligence Agency. He co-authored the book Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century .


Cybersecurity market research: Top 15 statistics for 2017

You Might Like


联动·聚力 亚信安全2018合作伙伴峰会隆重召开... 2018年5月8日,以“联动•聚力”为主题的亚信安全2018年合作伙伴峰会在成都召开,来自全国的500多家合作伙伴汇聚一堂。在此次会议上,亚信安全对过去一年取得的卓越业绩、生态建设成果、以及多元化的解决方案与成功案例进行了全面解读,并宣布了2018年公司“加速、进取、可持续”的发展战略,以及最...
闪捷信息教育行业数据安全解决方案 摘要: 目前,我国教育行业信息化建设取得了巨大的成就,一个完整的教育信息系体系已然成型,但教育信息数字化带来应用便利性的同时,数字资产遭受大面积泄露的威胁,数据安全事故频发。教育行业信息系统多样,接入部门和使用单位众多,存在着管理水平参差不齐,缺乏主动防护能力,对第三... 目前,我...
Qualcomm, National Security, and Patents From the New York Times : President Trump on Monday blocked Broadcom’s $117 billion bid for the chip maker Qualcomm, citing national secur...
中央网信办就一流网络安全学院建设示范项目答问... 原标题:中央网信办就一流网络安全学院建设示范项目答问 中央网信办网络安全协调局负责人就一流网络安全学院建设示范项目答记者问 光明网记者 李政葳 为贯彻落实党中央和习近平总书记关于建设一流网络安全学院的指示精神,推进实施中央网信办等六部委《关于加快网络安全学科建设和人才培养的意见》,中央网...
Ethereum-backed hackathon excavates more security ... An Ethereum-backed contest has revealed a few new tricks for disguising malware as the harmless code the network uses to transfer and manipulate funds...
CSOONLINE责编内容来自:CSOONLINE (源链) | 更多关于

本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » An insider sifts through 108,000 client files. What can go wrong?

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录