Fine for Bupa Insurance Services for Insufficient Data Security Measures

Published on: 1st October 2018
By PYXI GDPR Team


The ICO has reported that;

"Bupa Insurance Services Limited (Bupa) has been fined £175,000 by the Information Commissioner’s Office (ICO) for failing to have effective security measures in place to protect customers’ personal information."

The judgement goes on to disclose that;

"Between 6 January and 11 March 2017, a Bupa employee was able to extract the personal information of 547,000 Bupa Global customers and offer it for sale on the dark web."

"Bupa and the ICO received 198 complaints about the incident. The rogue employee was dismissed and Sussex Police issued a warrant for his arrest."

While there was a clear criminal act on the part of the employee, the ICO's investigation revealed significant systemic failings in the business that they believe put this data at risk for "a long time".

It is clear from this an many other cases in the press and on the ICO website that there is joint liability for such incidents, and insufficient data security and data protection measures are seen as negligence on the part of the organisation, and may result in fines of this kind.

PYXI GDPR Team: 1st Oct 2018 09:02:00