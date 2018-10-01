THE INFORMATION COMMISSIONER'S OFFICE (ICO) has slapped Bupa with a £175,000 fine after a rogue staffer flogged patient data on the dark web.

The ICO has had a busy weekend. After scolding Facebook and er, the Tory party over data mishaps, the watchdog announced that it's fining Bupa for "failing to have effective security measures in place to protect customers' personal information."

Back in 2017, between the months of January and March, a Bupa employee was able to extract the personal information of 547,000 Bupa Global customers from the company's CRM system, known as SWAN. This compromised information, which included names, dates of birth, email addresses and nationality, was later offered for sale on the dark web.

Bupa was alerted to the breach on 16 June 2017 by an external partner who spotted customer data for sale. The company also received 198 complaints about the incident and, at this time, the brazen employee was dismissed and Sussex Police informed.

The ICO said Bupa "did not routinely monitor SWAN's activity log" and was unaware of a defect in the system and was unable to detect unusual activity, such as bulk extractions of data, which saw the company falling foul of the Data Protection Act 1998.

ICO Director of Investigations, Steve Eckersley, said: "Bupa failed to recognise that people's personal data was at risk and failed to take reasonable steps to secure it.

"Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO's investigation found no satisfactory explanation for them."

At the time of the breach, Graham Cluley told the INQUIRER that such rogue insiders will always be a problem because companies are focussing their attention in the wrong direction.

"Rogue employees are one of the biggest challenges for any business," he said. "There's so much focus on external hackers, and too little on staff." µ