The Bupa insurance company was fined £ 175,000 after an employee offered 547,000 customers to sell it on the Dark Net network.
The Office of the Information Commissioner (ICO) has fined the insurer for lack of effective security measures to protect the personal information of customers.
The employee retrieved the information between January 6 and March 11, 2017 through Bupa’s Customer Relationship Management System, which contains customer records for 1.5 million people.
The scope of data breaches of British Airways customers is “astonishing”
The employee sent bulk data reports, including names, dates of birth, e-mail addresses, and nationality, to their personal e-mail account prior to the online sale of the data.
ICO investigator Steve Eckersley said, “Bupa did not understand that people’s personal information was compromised and did not take reasonable steps to protect them.”
An investigation revealed “systemic imperfections” in the protection of Bupa’s personal data and showed that these failures were “uncontrolled” for a long time, added Eckersley. The failure to secure personal information violates the 1998 Data Protection Act.
Bupa was informed of the breach on June 16, 2017 by an outside partner who discovered customer data for sale.
Bupa and the ICO received 198 complaints about the incident. The scammer was released and the Sussex police issued an arrest warrant.
A spokesman for Bupa Global said: “We accept this decision from the ICO and have fully participated in the investigation.
“We take our responsibility to protect customer information very seriously.
“Since then, we have implemented additional security measures to prevent the recurrence of such an incident, strengthen our internal controls and improve our customer audits.”