The UK’s Information Commissioner’s Office (ICO) has fined Bupa £175,000 after an investigation found the health insurer failed to have "effective security measures in place to protect customers' personal information" in the wake of an incident that saw an employee extract data of 547,000 global customers during January and March 2017 and put it up for sale on the dark web. 

The employee accessed the sensitive information through Bupa's customer relationship management system, SWAN, which stored at the time records relating to 1.5 million people and was used to manage claims under customers' international health insurance policies.

According to the UK regulator, the employee sent "bulk data reports" to his personal email account, which included information on names, dates of birth, nationality and email addresses. An external partner spotted the records for sale on a popular dark web site reported to have had more than 400,000 users at the time, which was shut down by US authorities in July last year. According to information released by the ICO, the advert read:

“DB [database] full of 500k+ Medically insured persons [sic] info from a well-known international blue chip Medical Insurance Company. Data lists 122 countries with info per person consisting of Full name, Gender, DOB, Email Address plus Membership Details excluding CC Details.”

The ICO found that Bupa was not "routinely" monitoring the activity log of the SWAN system and was unaware of an error that meant they were unable to spot unusual activity - such as extracting large amounts of data. The watchdog said its investigation uncovered "systemic failures in Bupa's technical and organisational measures". 

“Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it.

“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them,” said Steve Eckersley, ICO Director of Investigations.

The employee has since been dismissed and UK police have issued a warrant for his arrest. The ICO said the incident was dealt with under the Data Protection Act 1998 and not the General Data Protection Regulation and 2018 Act replacing it in May this year, according to the timing of the breach.

A representative for Bupa Global said in a statement:

"We accept this decision by the ICO and have cooperated fully with its investigation. We take our responsibility for protecting customer information very seriously. We have since introduced additional security measures to help prevent the recurrence of such an incident, reinforced our internal controls and increased our customer checks." 

Meanwhile, the ICO has released guidance on how to keep IT systems safe and secure, looking at computer, email and fax security and staff training.