Bupa Data Breach

1986

The latest news has found that Bupa international health insurance has been hit by a data breach. An employee from their international health division, Bupa Global, had inappropriately copied and removed some customer information from the company. Around 108,000 international health insurance policies are affected. IT security experts commented below.

Andrew Clarke, EMEA Director at One Identity:

“We often hear about individuals who gain access to confidential information within a business sometimes that is accidental; occasionally malicious and more frequently we hear about the external hacker.  In all cases, once the data is compromised it could be misused for personal or financial gain.

“It is therefore imperative that business adopt a proactive position with respect to data governance : to control and manage who has access to specific data; why they need it and how long for.   When a person moves jobs/responsibilities internally within a company; they are granted access to new systems and data in order to meet their new responsibilities and often this means that their prior access is still in place.   This sometime creates issues around separation of duty.   Eg  if a person sets up and changes payroll and then moves to a new position that is approving payroll – the conflict arising is clear.  For situations like this, companies can adopt IAM tools that provision and de-provision user identities and associated access.

“Often access is permitted by having too much privilege.   Usually internal administrators but also applicable to external contractors that are maintaining systems, these type of powerful users can update and modify the operational systems which they need to do to perform their role – but uncontrolled this also opens the door to potential malicious activity.    This can be controlled and managed however using a privileged access management solution.   The more sophisticated versions of this tool even have privileged session management which can record and replay administrative behaviour which provided a company an accurate auditable record of these type of users.   Alongside other security measures, this provides a more robust control of access which ultimately protects the assets and data of a company from mis-use or theft.  With GDPR coming along in May 2018; companies will need to ensure that they have this under control, otherwise it will not just be the embarrassment of a data loss but a large financial penalty too.”

Darran Rolls, CISO & CTO at SailPoint:

“Unfortunately, there is no silver bullet solution to solve an employee error, but if companies take a layered approach that includes awareness and education alongside preventive and detective controls they will be much more secure.

From an IT perspective, empowering users to work how they want requires a delicate balance between convenience and controls. Getting the balance wrong can result in both unhappy users and a host of new security vulnerabilities. The easiest answer is to simply lock everything down, however, policies that restrict access to cloud applications or limit their use via mobile and desktop control solutions are no longer an option for organisations looking to innovate and enable the agility required to win in business today.

Instead, businesses should embrace the end user’s desire to be productive. IT needs to facilitate controls with a balance of enhanced user access and new IT visibility and controls.

Identity governance is a key way to achieve this balance between user agility and IT controls. It provides the freedom to take advantage of the business benefits of on-demand cloud applications and BYOD, while providing IT and the business with a safety net of controls, oversight and governance.

By taking a governance-based approach to identity and access management, organisations can fuel the needs of an increasingly diverse, distributed and interconnected workforce, without losing control of critical data.”

 Jean-Frederic Karcher, Head of Security at Maintel:

“The data breach at Bupa proves the effectiveness of insider threats. Such threats are almost undetectable, making them one of the most difficult threats to prevent, and as a result, hugely successful at collecting data.

 In a little under a year, the introduction of the General Data Protection Regulation (GDPR) will fundamentally change the way organisations deal with, and report on, these data breaches. The regulation requires that businesses focus on protecting the confidentiality, integrity and availability of the personal data they handle.

This presents two challenges for organisations: discovering the breach quickly (most breaches are discovered months after they occur; on average 140 days after the intrusion succeeded) and managing the reputational fallout after a breach.

To do so a company must first understand that adding new technology will not necessarily solve the problem. Instead, the first port of call must be internal processes. Only when these are up to date and firing properly, can companies turn to tech.”

 Itsik Mantin, Director of Research at Imperva:

“Although people tend to associate breaches with hackers, the truth is that many data breaches involve inside work, as was this breach which happened, according to Bupa, by an employee.

This is not surprising given that Verizon DBIR 2017 report indicates that 1 out of 4 data breaches are attributed to insiders and, in the healthcare domain, the situation is even worse with 2 out of 3 breaches involving insiders and third-parties.

As we’ve seen in past high-profile cases, data breaches caused by careless, malicious or compromised insiders are real and serious. Because the problem begins with users that have legitimate access to enterprise data, attacks from the inside can be present for long periods of time before finally being detected. What’s more, costs associated with loss of data can run in the millions and lead to customer loss, brand damage and stock price decline.

To mitigate the risk, organisations should ask themselves where their sensitive data lies and invest in protecting it. Businesses can employ solutions, especially those based on machine learning technology that can process and analyse vast amounts of data, to help them pinpoint critical anomalies that indicate misuse of enterprise data and that also help them to quickly quarantine risky users to prevent and contain data breaches proactively.”

Matthias Maier, Security Evangelist at Splunk:

“This data breach at Bupa is an example of how to communicate a data breach to affected individuals and update them on its potential impact. As of May 2018 when GDPR comes into effect, we will see many more examples like this as it becomes a mandatory obligation.

This Bupa example has illustrated how insiders have the advantage — they are within the organisation and have access to the environment. No perimeter defense or rule-based system can be effective in detecting, let alone preventing, their malicious activity. As a result, insider threats are amongst the hardest to catch and most successful in exfiltrating valuable corporate and customer data.

For this kind of breach, insights can be gleaned by analysing the audit trails of users. Thousands of data points need to be continuously collected and analysed to locate a breach. This requires advanced detection methods, such as utilising machine learning techniques, to identify the behavior of malicious employees. One technique for example, is to use peer group analysis to detect different behaviour of users within the same team. This would detect malicious activity early and give an organisation the chance to stop the rogue employee before they leave the building.”

Mark James, Security Specialist at ESET:

 “Data breaches are fast becoming the norm these days. We hear more and more about snippets of information being hoarded and collated within the internet to build profiles for unsuspecting phishing or scam victims. Attacks from outside usually can’t be anticipated or guessed but attacks from within are another matter. Employees who handle valuable information are of course trusted to keep it safe. There are of course many security measures we can have in place to protect that data from being leaked or stolen and we would expect measures like “Data Loss Protection” DLP to be in place to keep our most valued data safe.”

“In this instance, there seems to be a clear indication of what was and was not stolen with an emphasis on what’s “not” but any of the said data could be used in an attempt to scam or phish other details from you. When it comes to medical data we generally like to keep it to ourselves so any email or direct contact would more than likely be kept private. In an email to customers, Sheldon Kenton stated “The data taken includes: names, dates of birth, nationalities, and some contact and administrative details including Bupa insurance membership numbers.”

“When we receive spam emails we have to make a decision on its validity when it states “Dear Sir” or “Dear valued customer” then we often won’t give it the time of day but if that data is specific to the company then our attention is drawn and we are more than likely to be a victim as a result. If you are contacted by phone or email then double check with the sending organisation before further communication is made. They are fully aware of the problems these breaches cause and seem to be doing all the right things like notifying the affected parties and providing as much info as possible via a web page and video.”