Fine for Bupa Insurance Services for Insufficient Data Security Measures
Published on: 1st October 2018
By PYXI GDPR Team
The ICO has reported that;
"Bupa Insurance Services Limited (Bupa) has been fined £175,000 by the Information Commissioner’s Office (ICO) for failing to have effective security measures in place to protect customers’ personal information."
The judgement goes on to disclose that;
"Between 6 January and 11 March 2017, a Bupa employee was able to extract the personal information of 547,000 Bupa Global customers and offer it for sale on the dark web."
"Bupa and the ICO received 198 complaints about the incident. The rogue employee was dismissed and Sussex Police issued a warrant for his arrest."
While there was a clear criminal act on the part of the employee, the ICO's investigation revealed significant systemic failings in the business that they believe put this data at risk for "a long time".
It is clear from this an many other cases in the press and on the ICO website that there is joint liability for such incidents, and insufficient data security and data protection measures are seen as negligence on the part of the organisation, and may result in fines of this kind.
PYXI GDPR Team: 1st Oct 2018 09:02:00
Subscribe to our
Weekly GDPR Newsletter.
It's full of really useful updates
for UK small businesses.
ICO Q2 Data Security Incident Trends
The ICO's figures for Q2 show that the most frequently reported data security incident relates to disclosure of data. The ICO's website has published information about Q2 2018-19's data security incidents by type and sector, and the single mo... click to read more