Major International Healthcare Organization Bupa Loses Customer Details to Insider Threat
Bupa, a major international healthcare group, announced yesterday, “We recently discovered an employee of our international health insurance division (which is called ‘Bupa Global’), had inappropriately copied and removed some customer information from the company.
Sheldon Kenton, Managing Director at Bupa Global, announced, “Around 108,000 international health insurance policies are affected,” and added; “The data taken includes: names, dates of birth, nationalities, and some contact and administrative details including Bupa insurance membership numbers.”
DataBreaches soon added some detail. “DataBreaches.net first became aware of the Bupa breach on June 23, when a listing appeared on the now-gone Alpha Bay marketplace by a vendor calling himself ‘MoZeal’.” MoZeal was a new member to AlphaBay, having joined on 2 May 2017; and DataBreaches conjectures “that ‘MoZeal’ is likely the rogue employee that Kenton referred to.”
DataBreaches provided the full list of stolen data as provided by MoZeal, which turns out to be more expansive than that provided by Bupa. It includes separate home and office fax, email address, mobile and landline phone numbers. DataBreaches also questions the Bupa statement. “While Bupa reports that 108,000 were affected, MoZeal’s listing and thread indicated that there were over 130,000 in the U.K. alone, and that overall there were about 500,000 – 1 million records for sale.”
SecurityWeek asked Bupa to clarify this, and was told, “All of the information and statements we have made public this week remain valid. We are aware of a report that suggests that on 23 June 2017 ‘a former employee claimed to have 1m records for sale’. Our thorough investigation established that 108,000 policies, covering 547,000 customers, had been copied and removed. The disparity in numbers claimed and those taken relates to duplicate copies of some records.”
For now, Bupa is providing little more information. It is contacting those customers who are affected “to apologize and advise them as we believe the information has been made available to other parties.” This implies that affected customers should be particularly wary about phishing attempts seeking additional information, either for complete identity theft or just to steal bank account details or card numbers.
Earlier this week, Kaspersky Lab published a study on “The Human Factor in IT Security”, showing the extent to which employees are making businesses vulnerable from within. Kaspersky’s principal security researcher David Emm believes employees rank at the very top of the list of threats to data and systems. “When insider-assisted attacks do occur,” he told SecurityWeek, “the impact of such attacks can be devastating as they provide a direct route to the most valuable information — in this case, customer data.”
David Kennerley, director of threat research at Webroot, adds, “Because of the nature of the information that’s been leaked, Bupa Global customers who have been affected need to be extra vigilant, without doubt they are now prime targets for phishing attacks and other targeted activities, as well as possible identify theft.”
The potency of identity theft should not be underestimated. On Monday this week Alf Goransson — the CEO of Securitas, Sweden’s largest security firm — was declared bankrupt by the Stockholm District Court (it is expected to be rescinded). A fraudulent loan had been taken out in his name in April after his identity was stolen at the end of March. The perpetrator also used his name to request bankruptcy. The bankruptcy led to Goransson’s automatic deregistration by the Swedish Companies Registration Office as the Securitas CEO.
In the Bupa incident, the perpetrator is known and has been dismissed, and Bupa is taking ‘appropriate legal action’. In response to SecurityWeek’s request for clarity, Bupa said, “It was an existing employee.” It was neither an ex-employee, nor a contractor. “Just to reiterate,” continued Bupa, “the employee had access to this information as part of their job and chose to abuse their position. The employee responsible has been dismissed. Bupa has a zero-tolerance attitude towards data theft.”
Bupa has not said how it discovered the breach, whether it was via its own internal controls or because a third-party (such as law enforcement) recognized it on the dark web. Nor has it said exactly when it discovered the breach, nor when it dismissed the employee.
The UK data protection regulator, the Information Commissioners Office (ICO), confirmed that it knows about the incident and told SecurityWeek, “Organizations have a duty to protect people’s privacy and personal data. We have been made aware of an issue involving Bupa Global and are making enquiries.” However, the ICO declined to tell SecurityWeek when it had been informed of the breach.
Since DataBreaches knew about the loss on 23 June, it is likely that Bupa knew about it around the same time. That implies that the AlphaBay takedown occurred after MoZeal’s offer to sell Bupa data, and before Bupa disclosed the loss. The timing is most probably coincidental; but nevertheless, the only SecurityWeek question that Bupa completely ignored, was this: “Does the theft of your data and its subsequent offer for sale on AlphaBay have anything whatsoever to do with AlphaBay being taken down?” When companies limit the information they provide in their disclosures, there is a great temptation to fill in the gaps.