Bupa, the global health insurance company, admitted recently to a massive data breach affecting their international customers. A rogue employee copied and distributed the details of 108,000 customers. The data did not include financial or health information, but did include names, dates of birth, nationalities and some contact information. Whilst this information may not be enough to defraud Bupa customers, the data could be used by hackers to create more convincing phishing attacks to fool unsuspecting members of the public.
Security expert Marco Cova said to The Register: "Unfortunately, the data revealed from this breach is the type that criminals can use to launch additional attacks. They merge data from multiple sources, building dossiers on potential victims, including spear phishing targets. Data breaches provide a distribution hub for malware for years to come."
Bupa quickly admitted to the data breach and explained that the employee has been fired, and the matter was being investigated by the police. The Financial Conduct Authority and other relevant regulators were also notified and Bupa contacted all the customers affected to provide advice on how to spot any fraudulent emails and scams that may come their way. Following the breach, Bupa has also reported plans to review its security procedures.
While Bupa has responded rapidly and openly to this incident, many will question how a company that handles so much sensitive personal information could fall victim to this kind of attack – particularly from inside their own walls. Presumably they have a Data Loss Prevention system configured to stop employees from downloading or copying data without authorisation. So how could one employee harvest 108,000 records?
The Bupa attack is another example of cyber-crime that doesn't fit the common misconception. This was not a carefully planned operation by a hardened criminal; it was an opportunistic theft by a trusted member of staff. This kind of crime is difficult to prevent, particularly when organisations are striving to remove barriers to innovation and enable employees to do great work efficiently.
Has your organisation struck the balance between security and digital freedom? Or do you need to do more to secure your data and systems against internal threats?
eLearning can help warn against potential repercussions for data theft and educate employees on the laws and regulations in place to deter cyber-crime. DeltaNet International offer a suite of cyber-security eLearning courses, as well as short courses on the upcoming GDPR legislation with its increased focus on digital security.