Health insurance company BUPA has been hitting the headlines over the past year or so due a significant data breach that took place in early 2017.
Between January 6th – March 11th 2017, an employee managed to access their customer relationship management system (SWAN), and extract credentials of 547,000 global customers. Information included name, date of birth, email address and nationality, and was later put up for sale on the dark web.
Thankfully, no financial information was taken from the system. Due to the fact that the data was later found for sale, this could have caused much larger consequences for BUPA and the affected customers.
In September 2018 they were fined under the Data Protection Act 1998 for £175,000, with the breach happening before the EU GDPR laws were enforced.
What Went Wrong?
Due to the ‘rogue insider’ nature of this breach, its not hard to see how it happened so easily. At the time, BUPA didn’t manage their activity logs frequently enough, meaning that the breach went by undetected for some time. It was only detected when a third-party notified BUPA of it’s data for sale on the dark web in July 2017.
An anomaly in traffic flow would have shown up quite significantly for a monitored system, with such large amounts of data being extracted. Had they have been checking, this whole situation could have been avoided.
“BUPA failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it.” Steve Eckersly, ICO Director of Investigations
What Solutions Would Have Helped?
Monitoring the traffic flow of the SWAN system is the key thing that BUPA should have been done. One way this can be achieved is by adopting an approach based on the principle that no one inside or outside the network can be trusted. This would involve having an automated system deciding in real time which transactions are permitted, therefore the employee wouldn’t have been able to access the data in the first place.
This strategy also involves various other different technologies and techniques such as multi-factor authentication (MFA), single sign-on (SSO) and operating on a ‘need to know’ access basis. All of these can help protect against threats such as those seen at BUPA.
What Can Be Learnt For The Future?
As more large organizations suffer data breaches, and more customer credentials are compromised, it is clear how important cybersecurity is today. The threat landscape is constantly evolving with new attack vectors and techniques of breaching data, giving businesses even more reason to evaluate their current cybersecurity solutions.
Keeping your data secured is also more important than ever now that GDPR has been fully implemented. Had BUPA’s breach happened just a little later, they could’ve faced fines of up to €20 million.
The breach demonstrates how important it is to monitor your systems and keep policies up to date to improve the chances of preventing a breach or detecting faults and unusual activity.