International health insurer Bupa has suffered a massive data breach, with a rogue employee stealing and trying to sell at least 100,000 clients’ private data online, cyber experts have reported.
The employee, it appears, has advertised the database for sale on the Dark Web. And while Bupa has claimed the breach included 108,000 clients’ data, the thief has advertised the breach as including as many as one million customers.
A vendor calling himself ‘MoZeal’ was behind the attempted data sale, as reported by DataBreaches.net.
Mozeal posted an advert on Alpha Bay – which is in the Dark Web, an alternate internet where criminals operate anonymously – selling an “exclusive medical database,” with information from “122 countries”.
The data stolen on each customer allegedly included birthdates, nationalities, home phone numbers, home emails, work details, and Bupa IDs.
“Also of note,” DataBreaches reported, quoting from the entry on the Dark Web, “while Bupa reports that 108,000 were affected, MoZeal’s listing and thread indicated that there were over 130,000 in the UK alone, and that overall there were about 500,000-one million records for sale.”
In response to speculation that up to one million customers may have been impacted by the breach, Bupa issued the following statement to Insurance Business.
“All of the information and statements we have made public this week, remain valid,” it said. “We are aware of a report by Databreaches.net that suggest ‘a former employee claimed to have 1m records for sale’. Our thorough investigation established that 108,000 policies, covering 547,000 customers, had been copied and removed. The disparity in numbers claimed and those taken, relates to duplicate copies of some records.”
In addition, Sheldon Kenton, managing director of Bupa Global, addressed customers in a video statement released online.
“I wanted to let you know that we recently discovered that an employee had taken some customer information from one of our systems. I know that this will be concerning, so wanted to explain the situation,” Kenton said.
“The information that was taken does not include any financial or medical information. This data comes from one particular part of Bupa – Bupa Global – which handles international health insurance, mainly for people who work overseas or travel on a regular basis. To be fair, this does not affect Bupa’s other local businesses.
“I want to personally apologise and let you know we’re getting in touch with potentially-affected customers. We have introduced additional security measures and a thorough investigation is also underway. I encourage anyone who is concerned to contact us. And finally, I just want to reassure you that protecting the information we hold about our customers is my absolute priority.”
Graham Cluley, at Hot for Security, said “an obvious risk” with the data potentially available to criminals was that “a fraudster with access to the stolen data could use the information to target Bupa customers [and trick them] into revealing more sensitive information, such as their payment card details, by ringing up policyholders and pretending to be calling from the company”.
Cluley reported that Bupa has said it has been in contact with the Information Commissioner’s Office (ICO) and informed the police of the incident.
“To give Bupa credit it appears to be communicating openly with concerned customers, and going out of its way to answer questions. With luck the breach will be contained, and the damage down will be limited,” he said.
“All it takes is one rogue employee, or indeed a careless worker, to cause a data breach that could cost your company millions and do untold damage to your brand.”
Related stories:
Barely 5 of NZ businesses are insured against growing cyber risks
Global ransomware cyber attacks impact on NZ