Bupa Data Breach: Angry Employee Deletes Records Of More Than 500,000 Insurance Customers

United Kingdom-based international health insurance company Bupa experienced a database breach that has affected more than 500,000 customers as the result of a rogue employee’s actions.

The company first learned of the possibility of the breach in June and made public the exposure of customer data Thursday. About 547,000 customers are believed to be affected by the breach. The company is in the process of contacting customers who may have been compromised.

Read: Kmart Credit Card Data Breach: Malware Hits Stores For Second Time In 3 Years

According to Bupa, an employee working in its international insurance division, Bupa Global, “inappropriately copied and removed” information from the company’s systems. Bupa said the breach was not the result of a cyberattack but rather a “deliberate” action of an employee who has since been dismissed.

The data taken by the apparently disgruntled Bupa employee includes names, dates of birth, nationalities, and contact and administrative details including Bupa insurance membership numbers. Financial and medical data was not accessed.

Much of the data related to international insurance plans belonging to customers whose policy numbers begin with “BI.” Customers with domestic health insurance plans through the Britain-based insurer are not at risk, but those living in the U.K. who bought plans for use aboard may have been affected. Bupa said about 43,000 customers in the breach had addresses in the U.K.

In response to the breach, Bupa said it has introduced additional security measures and increased customer identity checks. “A thorough investigation is underway and we have informed the FCA [Financial Conduct Authority] and Bupa’s other UK regulators,” Sheldon Kenton, managing director of Bupa Global, said in a statement.

Read: Avanti Markets Hacked: Credit Card Numbers, Biometric Data Stolen From Vending Machines

For the time being, it is not clear if the data stolen from Bupa’s systems has been made accessible anywhere else. It’s common for database breaches to eventually end up online, often traded on black market-style sites, but most of those breaches are the result of a third-party hack rather than an internal actor.

The data stolen from Bupa was made available to purchase online, presumably by the employee who stole it. DataBreaches.net noted a listing of the records appeared on the now-defunct dark web marketplace AlphaBay in late June.

Victims of the breach should remain vigilant about protecting their information and keep an eye out for attempts at fraudulent activity. Personal information, especially if paired with information from other breaches including passwords, can be used to further compromise a person’s online identity.

"Unfortunately, the data revealed from this breach is the type that criminals can use to launch additional attacks,” Marco Cova, senior security researcher at cybersecurity firm Lastline told International Business Times.

“They merge data from multiple sources, building dossiers on potential victims, including spear phishing targets. The information that they gather does not have to be highly confidential in order to create successful attacks.”

Cova suggested any organization—especially health insurance companies that rely heavily on user data—ensure that every individual with access to data in the company is trained on the essentials of cybersecurity and data protection. Additionally, he suggested holding individuals with access accountable should a breach happen that they were responsible for.