A London health insurance agency has been hit with a massive data breach. The personal information of about 547,000 people was compromised.
An employee of Bupa Global gained access to customers' names, birthdates, nationalities and some contact information, affecting customers of about 108,000 international health insurance plans. Financial data and medical information were not exposed. The company is contacting those affected.
"This was not a cyber attack or external data breach but a deliberate act by an employee," said Sheldon Kenton, managing director of Bupa Global, in a statement.
Unlike recent ransomware attacks, this breach came from within the company. "The data breach really highlights the fact that employees can still be an organization's weakest link with regards to security," said David Kennerley, director of threat research for Webroot.
Bupa did not name the employee or say when the breach occurred. "Because the problem begins with users that have legitimate access to enterprise data, attacks from the inside can be present for long periods of time before finally being detected," said Itsik Mantin, director of security research at Imperva. "What's more, costs associated with loss of data can run in the millions and lead to customer loss, brand damage, and stock price decline."
Bupa said it has added security measures since the breach to bolster its internal controls.