Data protection regulator has slapped Bupa with a £175,000 fine for failing to protect the personal information of more than half a million customers, the Information Commissioner’s Office (ICO) announced today.
Between January and March 2017, a Bupa employee was able to steal the personal information of 547,000 Bupa Global customers and offer it for sale on the dark web.
ICO director of investigations Steve Eckersley added: “Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it.
“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”