Following today’s news that Bupa has been fined £175,000 by UK regulators for “systematic data protection failures” after an employee stole thousands of customers’ data and offered it for sale on the dark web, please see below for commentary from Fouad Khalil, Head of Compliance at SecurityScorecard.
Fouad Khalil, Head of Compliance at SecurityScorecard:
“This scenario is very typical. We are witnessing organisations (even ones with process maturity) having implemented quick and ineffective controls in an effort to speedily claim compliance with GDPR and other privacy laws. The disgruntled employee seems to have had more access than his job role requires due to the sheer volume of data he allegedly stole.
It also appears that there were insufficient monitoring and alerting controls that would have notified on repetitive and frequent copying of large amounts of personal data.
Realising the fact that the data was actually being sold online without detection for such a long time, also reflects insufficient monitoring capabilities of sensitive data that pops up on public domains.
There is a strong chance that, if an internal investigation were to take place, the control environment may present “material control weakness”. Meaning a complete failure of key controls designed to protect highly sensitive and company critical information.
Organisations must move away from point-in-time compliance and transition to continuous assurance (continuous auditing and monitoring) since what controls you thought were effective yesterday, may not be today due to the ongoing changes to production environments.
Other items to note:
- I question the completeness of their data inventory.
- I question whether they executed, or are planning to, a data protection impact assessment.
- I question if they have the proper data classifications for all personal data.
- I question if they have followed the life cycle of data for a complete assessment of risk to data from creation to destruction.
In summary, ineffective controls introduce high risks to all organisations. Point-in-time compliance dos not cut it any more. Ongoing monitoring and assessment of controls is critical and must be done frequently and after any production change.”