Almost 20,000 Australian customers of an international private health insurer have had their personal details leaked in a massive data breach caused by a disgruntled employee.
Bupa Global, which insures frequent travellers and expats, confirmed the private customer information of 547,000 customers worldwide including 19,595 Australians had been “inappropriately copied and removed” and handed to “other parties”.
“This was not a cyber attack or external data breach but a deliberate act by an employee,” Bupa Global managing director Sheldon Kenton said in a statement.
“The data taken includes: names, dates of birth, nationalities, and some contact and administrative details including Bupa insurance membership numbers.”
Kenton said the leaked data did not include any financial or medical data and the company was taking appropriate legal action while reaching out to those affected.
“We are contacting those customers who are affected to apologise and advise them as we believe the information has been made available to other parties.”
Bupa Global policies beginning with “BI” are the ones affected, with the insurer introducing additional security measures and increased customer identity checks.
“Protecting the information we hold about our customers is an absolute priority and I would like to assure customers that we are treating this seriously and taking steps to address the situation,” Kenton said.
A Bupa Australia spokesperson said its customers were not affected by the breach.
“It was a deliberate act by an employee in the UK who had no access to customer data for the Bupa Australia Health Insurance business, which is kept on separate systems,” the spokesperson said.
This latest leak shows that external hackers aren’t the only cyber hazards for organisations, with internal factors also at risk of causing legal, financial, public relations and reputational problems for organisations.
According to research published by cybersecurity company Forcepoint last year, about 90 per cent of ASX listed companies, government bodies and NGOs – including healthcare providers – have been exposed to a malicious, accidental or negligent insider threat.
Bupa Global confirmed the employee responsible has been fired.