Bupa healthcare was hit by a data breach after one of its employees went rogue and inappropriately copied and removed information relating to 547,000 international health care plan customers.
Names, dates of birth, nationalities, some contact and administrative information were among the data leaked. No financial or medical data has been exposed and the relevant victims have been notified. Bupa in a statement has said protecting customer information was “an absolute priority”.
“A thorough investigation is under way and we have informed the FCA [Financial Conduct Authority] and Bupa’s other UK regulators,” said Sheldon Kenton, managing director of Bupa Global.
Cyber security experts have had their say on the breach:
Itsik Mantin, director of research at Imperva, said “Although people tend to associate breaches with hackers, the truth is that many data breaches involve inside work, as was this breach which happened, according to Bupa, by an employee.
This is not surprising given that Verizon DBIR 2017 report indicates that 1 out of 4 data breaches are attributed to insiders and, in the healthcare domain, the situation is even worse with 2 out of 3 breaches involving insiders and third-parties.
As we’ve seen in past high-profile cases, data breaches caused by careless, malicious or compromised insiders are real and serious. Because the problem begins with users that have legitimate access to enterprise data, attacks from the inside can be present for long periods of time before finally being detected. What’s more, costs associated with loss of data can run in the millions and lead to customer loss, brand damage and stock price decline.
To mitigate the risk, organisations should ask themselves where their sensitive data lies and invest in protecting it. Businesses can employ solutions, especially those based on machine learning technology that can process and analyse vast amounts of data, to help them pinpoint critical anomalies that indicate misuse of enterprise data and that also help them to quickly quarantine risky users to prevent and contain data breaches proactively.”
Paul Edon, Director at Tripwire:
“Unfortunately, humans are the weakest link in security. Despite many of us being trustworthy, there are some, insiders, that break and damage that trust. The worst thing is, anyone in the company could be an insider and it is very difficult to vet everyone who has access to the various networks and sensitive data. Knowing what data is where is the first step in selecting the relevant security measures. Then controlling not only who has access to said data but also the level of access would be the next step, ensuring each individual has only the access necessary to do their job, this can reduce the risk of an insider threat greatly. However, should a breach happen, it is imperative that the breached company has a rapid response. Changing passwords would be the first recommendation to further reduce exploitation. Victims of the breach would also need to monitor any indicators of identity theft and double check incoming emails and calls are from vetted addresses and numbers.”
Marco Cova, senior security researcher at Lastline:
“Unfortunately, the data revealed from this breach is the type that criminals can use to launch additional attacks. They merge data from multiple sources, building dossiers on potential victims, including spear phishing targets. The information that they gather does not have to be highly confidential in order to create successful attacks. Data breaches provide a distribution hub for malware for years to come.
“Overall, there are two major sources of cyber risk: people and technology. People can unwittingly (or purposely, of course) disclose confidential data like passwords, banking or personal information to a stranger. In addition, due to its complexity, Information Technology hides a high level of cyber risk buried deep in the software and in the processes to run and manage the technology.
“Cyber security practitioners generally recommend minimising the amount of data gathered and stored by an organisation. The aim is to reduce the amount of data that could be leaked during a cyber incident. However, healthcare firms need to gather and store large amounts of customer and case data to conduct their business. One way to address this challenge is to replicate the model of individual accountability often used in the financial and banking industries. First, every individual that has access to data in the company should be trained on the essentials of cyber security and data protection. Second, define data protection standards within the organisation. This includes identifying and classifying customer data, defining data protection processes and implementing the cyber security controls to protect the customer data. The process should also be supported by good auditing and monitoring processes. Finally, making a specific individual accountable for data protection across the organisation can also help. Given the resources and expertise of the cyber criminals and hacktivists, this individual would be ultimately responsible for handling the breach disclosure process.”