BUPA breach – why names and addresses matter

Yesterday, we wrote about a rather large data breach at UK private healthcare company BUPA.

BUPA has already published an explanation of what it knows so far – and the company is to be commended for its plain-talking approach that avoids the sort of confusing language that we’ve often heard in the past.

Apparently, only customers who are covered by one of BUPA’s Global’s international plans (extra medical cover for when you work or travel overseas) were affected.

If you have a local BUPA health plan – that’s local to you, not just local to the UK, where BUPA is headquartered – then it seems that you don’t have to worry.

According to BUPA, this incident was an insider breach of the Chelsea Manning or Ed Snowden sort, rather than the work of hackers who got in from outside and managed to wander around until they found something of value.

This was an insider attack caused by an employee who deliberately copied (and then tried to delete) data from about 108,000 insurance policies providing cover for 547,000 people.

One silver lining in this story is that the deletion part of the crime didn’t work out, because BUPA is, or has already, contacted affected customers, which it couldn’t have done if it no longer knew who they were.

(You will have heard us urging you to keep proper backups many times – and this gives you one more good reason why!)

A second silver lining is that the employee concerned has been sacked – not that it’s pleasant for anyone to lose their job, but it’s reassuring to know that the person is no longer in any sort of insider position, and therefore can’t easily repeat the attack.

Whether or not that ex-employee will face further civil or criminal charges we don’t yet know.

A third silver lining is that only core customer data was taken – in database terms, it sounds as though customer records were copied, but not any financial or medical records to which the main customer database was linked.

What next?

When data gets stolen in a breach of this sort, you know it’s already in the hands of at least one crook, so you need to assume that any number of other criminals have access to it as well.

In this case, BUPA’s own Questions and Answers document suggests that the stolen data has already shown up for sale in the cyberunderground – but even if it hadn’t shown up, who can say how securely the original thief stashed it, whether they showed it to anyone else , and what they planned to do with it next?

Remember that the more personal data that crooks have about you, the more believably they can attack.

In particular, if you’re one of those people who backs yourself to spot any and all phishing emails “because they always start with a dead giveaway such as Dear Sir/Madam/Other or Attention Customer“…

…then please think again.

We’ve recently seen phishing campaigns in the UK that were much more believable than usual because they included name and home address details.

Accurate personal details make phishing cover stories – such as allegedly unpaid household bills – sound perfectly reasonable.

Even if you are sure that you don’t owe anything, a realistic fake invoice phish might make you think you are dealing with an honest mistake, rather than realising that you are in the middle of an utterly dishonest attempt to trick you.

As far as we can tell, the address data in the abovementioned attacks, both of which happened in the past year, probably came from an eBay data breach more than three years ago – a reminder that data breaches can have long-lasting consequences even if they sound mostly harmless at first.

What to do?

Whether you’re a BUPA customer or not, keep in mind that crooks regularly share, sell or steal already-breached data with, to and from each other.

Unfortunately, even a smattering of personal data in an email or phone call makes social engineering and phishing attacks more likely to succeed.


  • Don’t open unsolicited or unexpected attachments, or click unexpected links, especially not on the say-so of an unknown sender.

Even if the document claims to be an invoice you don’t owe, or threatens you in some way, don’t let fear or uncertainty get the better of you. If the document seems to know who you are – for example, because it contains your full name, your address, your place of work or your bank’s name – don’t assume you can trust it for that reason alone.

  • If you’re unsure what to do, ask someone you actually know and trust, such as a friend or family member.

Never ask the sender of the email or the voice on the other end of the phone for advice, no matter how much personal information they trot out to make you think they’re genuine. They will simply tell you what they want you to hear, not what you need to know.

  • Keep an eye on your financial statements.

Just in case. Because you can.


(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)