The data that was included in the loss contained names, date of births, nationalities and in some cases contact information. BUPA pointed out that no financial or medical details had been lost because of this breach.
Actions following this
BUPA reassured customers that they are investigating the issues further but can confirm that the customers with policy numbers starting “BI” are affected; they also said that the domestic health insurance policyholders are not be affected.
UK customers that purchased plans for travelling abroad could also be affected by this.
BUPA have already dismissed the user that was the cause of this and are planning to take legal action.
What can they do with the information
The information gathered contains enough details for the cyber thief to social engineer and trick affected BUPA customers into providing card details etc.
Could it have been prevented
On this occassion, it happened to be a case of the human factor instead of a clever virus or malware. This issue just enforces that trusting an employee is always a risk when they have access to sensitive data.
Vetting staff and even making a point of limiting the users’ access on a network level could have prevented this. Only give your staff access to what they need to access and nothing else.
For more information, please visit http://www.bbc.co.uk/news/technology-40595581