BUPA Breach

Next story
Olivia Storey

BUPA customers are taking to Twitter to express concerns regarding a recent email informing them about a breach to their personal information and health insurance policy.

BUPA wrote to their customers as an employee copied, removed and stole customer information, including names, date of birth, nationality, membership numbers, email addresses, phone numbers and administrative information regarding policy and policy beneficiaries.

Although no addresses or financial information was; taken, it is still a serious data breach which has left customers vulnerable and open for scams. BUPA does say they are taking the breach very seriously, with a thorough investigation and legal action against the now ex-employee.

The Twitter posts showed screenshots of the email and even Tweeting the Information Commissioner’s Office asking whether there will be a full investigation into this data breach.

Mark James, ESET IT Security Specialist, discusses the repercussions of a data breach like this and what customers should be vigilant in looking for in potential scams.

Data breaches are fast becoming the norm these days.

“We hear more and more about snippets of information being hoarded and collated within the internet to build profiles for unsuspecting phishing or scam victims.

“Attacks from outside usually can’t be anticipated or guessed, and even when we know we are going to be attacked, like financial organisations, those attacks still make it through.

Attacks from within are another matter.

“Employees who handle valuable information are of course trusted to keep it safe. We do not expect it to happen, and there are of course many security measures we can have in place to protect that data from being leaked or stolen.

“We would expect measures like “Data Loss Protection”, or DLP, to be in place to keep our most valued data safe.

“This particular leak is one of those cases. There seems to be a clear indication of what was, and was not, stolen with an emphasis on what’s “not” but any of the said data could be used in an attempt to scam or phish other details from you.

“When it comes to medical data we generally like to keep it to ourselves so any email or direct contact would more than likely be kept private.

“When we receive spam emails we have to make a decision on its validity when it states “Dear Sir” or “Dear valued customer” then we often won’t give it the time of day, but if that data is specific to the company then our attention is drawn and we are more than likely to be a victim as a result.

“Sheldon Kenton has stated that the data taken includes: names, dates of birth, nationalities, and some contact and administrative details including BUPA insurance membership numbers.

If you are contacted by phone or email then double check with the sending organisation before further communication is made.

“They are fully aware of the problems these breaches cause and seem to be doing all the right things like notifying the affected parties and providing as much info as possible via a web page and video.”


Should BUPA be punished for a breach of this kind? Let us know on Twitter @ESETUK.


Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.