back to article Health insurer Bupa fined £175k after staffer tried to sell customer data on dark web souk

International health insurance business Bupa has been fined £175,000 after a staffer tried to sell more than half a million customers' personal information on the dark web. The miscreant was able to access Bupa's CRM system SWAN, which holds records on 1.5 million people, generate and send bulk data reports on 547,000 Bupa …

  1. JimmyPage Silver badge
    FAIL

    Oh FFS !!!!!

    The staffer was one of 20 users with unfettered access to search, view and download data onto personal drives from SWAN

    Well, that's 20 too many.

    1. cbars

      Re: Oh FFS !!!!!

      you almost always need an Admin account to find 'bad'/orphan etc data (unless you're a startup with no legacy data). Splitting the data (by region etc) just means you need more people acting as Admin. Is it better to trust one Admin or many...?

      Depends on your threat model, I suppose. If you're complaining about the download capability - then I would just say - you can't stop people photographing the screen, so your procedures shouldn't be about preventing people querying data - they should be about *detecting* that access. Pretty unusual day at the office if half a million records get reviewed by a single human.

      1. Anonymous Coward
        Anonymous Coward

        Re: you almost always need an Admin account

        Of course. But that's not the same as an account which has the rights to download ALL records ONTO A ****ING storage device.

        In addition, a little bit of sensible encryption would have meant that even the administrators couldn't make sense of the data.

        Homomorphic encryption was designed for this.

        1. cbars

          Re: you almost always need an Admin account

          @Anon, My point is that if you can see it, it's not encrypted, so you can't protect it at that point; where you download it to is irrelevant. Homomorphic encryption does not help if your Admin needs to examine the data, it's just intellectual masturbation in most cases.

          1. Mongrel

            Re:...if you can see it, it's not encrypted

            So, blindfold the data people?

            At some point you have to balance being able to actually use the data otherwise it's just more intellectual masturbation.

            1. cbars

              Re: ..if you can see it, it's not encrypted

              @Mongrel

              If you're responding to me, that was exactly my point, if you read my posts. People need to see the data to use it - however at this point downloading (that bit) is irrelevant. Controls should be monitoring people are not accessing 1 million records a day.

      2. Anonymous Coward
        Anonymous Coward

        Re: Oh FFS !!!!!

        Segregation of duty is missing.

        (S)he should not have had access to removable media OR control of the function to manage access to removable media.

        Nether should they have had the ability to move data to a system with external connectivity.

        Am also guessing HR check were weak or not completed correctly.

  2. Anonymous Coward
    Anonymous Coward

    That's private healthcare for you. With the NHS, at least Google paid for the privilege of getting hold of loads of patients' details.

  3. Version 1.0 Silver badge

    ROTFLMAO

    And we're expected to believe that nobody else had access and was more careful in their marketing?

    1. Tom Paine Silver badge
      Joke

      Re: ROTFLMAO

      "No, Mr Version 1.0 -- I expect you to die!"

  4. Tom Paine Silver badge

    Total game changer!

    Well, GDPR has certainly put the cat among the infosec pigeons now! This gigantic, eye-watering fine will devastate the £12 Bn[1] annual turnover firm and cause a revolution in security throughout the country.

    As a humble grunt toiling in the security trenches I for one can't wait for another 70 mins to pass so I can open a nice bottle of cask-conditioned real risk controls and get mitigating.

    [1] H118 half-year report https://www.bupa.com/corporate/our-performance/financial-results

    1. Doctor Syntax Silver badge

      Re: Total game changer!

      "Well, GDPR has certainly put the cat among the infosec pigeons now! This gigantic, eye-watering fine will devastate the £12 Bn[1] annual turnover firm and cause a revolution in security throughout the country."

      Go back and read the article. Notice the bit that says "June last year". Compare that with the date GDPR became operative. Note that it's earlier so the old rules apply under which the maximum fine was £500,000. At 2% of annual turnover the maximum fine would have been nearly 500 times larger form a £12bn under GDPR.

      Go back to the article again and notice the bit that says that they turned themselves in. That automatically exempts them from a maximum fine - if it didn't work that way there'd be no incentive for anyone to do that.

      1. John Brown (no body) Silver badge

        Re: Total game changer!

        "Note that it's earlier so the old rules apply under which the maximum fine was £500,000. "

        Note also that the actual fine is significantly less than the maximum allowed, with a further 20% discount for prompt payment. Even under GDPR, I doubt the fine would have been anywhere near the maximum capped limit. In fact, I doubt the fine if under GDPR rules would have been any higher than the one imposed.

        1. Anonymous Coward
          Anonymous Coward

          Re: Total game changer!

          And even with that pittance, why a 20% discount for prompt payment rather than a 20% surcharge if they don’t - its supposed to be a punishment, not a special offer.

          1. John Brown (no body) Silver badge

            Re: Total game changer!

            "And even with that pittance, why a 20% discount for prompt payment rather than a 20% surcharge if they don’t - its supposed to be a punishment, not a special offer."

            I agree, but it's probably to encourage payment of the fine and discourage legal challenges.

          2. EnviableOne Bronze badge

            Re: Total game changer!

            just like you get 50% of your prison sentence for good behaviour .....

  5. Anonymous Coward
    Anonymous Coward

    Fined 0.05% of their annual profits, nobody sacked apart from the guy who tried to sell it.

    175,000 is probably a weekend on the piss for one of their execs.

  6. HieronymusBloggs Silver badge

    HR

    Pity their HR procedures didn't include screening out utter twats from being hired.

    1. adnim Silver badge
      Joke

      Re: HR

      It can't be easy for them, I managed to get several jobs over the years.

  7. Anonymous Coward
    Anonymous Coward

    When I used to work there I had an ODBC link to every customer record and full credit card details though I would never have dreamt of selling it. It was necessary for the role I was doing, what I.T. should have done was create a front end for access per record. I did that myself in excel/access of all things and locked it down as best I could. So this doesn't surprise me.

  8. Anonymous Coward
    Anonymous Coward

    I remember working there many years ago when they were trying to get off their green screen database technology and on to a new system. Hilariously when they did their Y2K compliance and were asked how far into the 21st century they wanted it to work, they replied "2010. No-one will be using this system in 2010".

    They had been given from Friday lunchtime to Monday 0900 to do the migration. When I left the whole project was years late and the migration was taking 13 days.

    1. Anonymous Coward
      Anonymous Coward

      We have a customer who has delayed a migration by two years since it started. Fairly certain it will never work now but they've given us a 12 hour window to get it done.

      1st attempt has failed, 2nd isn't expected to go well and the 3rd.. Well they've made their main person redundant so can't see it going anywhere!

      System is running unsupported OSs and probably has CC data on it..

  9. Zippy´s Sausage Factory
    Meh

    No mention of how someone can find out if their records were offered for sale, of course. Not sure I'd want my medical history splattered all over the web somewhere...

    1. Anonymous Coward
      Anonymous Coward

      No need to guess, it is every BUPA customer.

      1. Zippy´s Sausage Factory
        Facepalm

        I meant whether they were actually passed onto someone rather than just offered for sale.

        I blame a coffee underflow error.

  10. Nightkiller

    And in Other News

    What the hell was this other guy doing on TOR who just happened to stumble on these records on a DarkWeb site?

    What did they get out of it? Revenge?

    1. tfewster Silver badge
      Facepalm

      Re: And in Other News

      "an external partner" - There are "Reputation Management" companies that will trawl the Dark Web on your behalf, for a fee.

      Though it's always sounded a bit dodgy to me: "Nice dataset you've got there - Be a shame if it got leaked, wouldn't it?"

      1. phuzz Silver badge

        Re: And in Other News

        I always assumed it was the other way around. They go trawling around looking for data, then go to the company involved and say "look what we found, you should probably pay us some money to make sure this doesn't go any further".

        Probably both I suppose. Get one company to pay you to go looking for data, and keep an eye out for other firms leaks while you're at it.

  11. Anonymous Coward
    Anonymous Coward

    My records were amongst those leaked

    BUPA wrote to me last year, telling me about the leak. Aside from their loss of my data, I was surprised that BUPA still had any of my data, as it was nine years since I had terminated my policy with them.

    I replied to BUPA, asking what exact data had been lost i.e. not the field names but which address, phone numbers, etc. They were unable to tell me and claimed to have asked their IT department to check but I never heard back from them.

    Annoyingly, Equifax also lost/leaked my details last year as well.

    1. Anonymous Coward
      Anonymous Coward

      Re: My records were amongst those leaked

      Complain to the ICO for failure to correctly respond to a subject access request.

  12. Anonymous Coward
    Anonymous Coward

    Name and shame the 'fired-focker'

    Question: why has all this to be done in secret?

    This 'focker' will probably do it again elsewhere...

    Yes, controls are needed but shaming is too, no?

    1. Anonymous Coward
      Anonymous Coward

      Re: Name and shame the 'fired-focker'

      The culprit merely lost their job? I'd have thought they should be in court, facing a hefty fine and/or jail time.

    2. jgcp1

      Re: Name and shame the 'fired-focker'

      It's fair enough that, when a company fails to take proper care of sensitive client data, they should be fined. But why don't the thieves who steal the data in the first place get some prison time? It seems to me rather like fining the homeowner who is burgled because a window was left open. I have little sympathy for hackers, scammers and thieves who make so many lives miserable.

  13. Ken Moorhouse Silver badge

    Bupa's CRM system SWAN

    They will find the data down the swan knee.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019