Yesterday, we wrote about a rather large data breach at UK private healthcare company BUPA.
BUPA has already published an explanation of what it knows so far – and the company is to be commended for its plain-talking approach that avoids the sort of confusing language that we’ve often heard in the past.
Apparently, only customers who are covered by one of BUPA’s Global’s international plans (extra medical cover for when you work or travel overseas) were affected.
If you have a local BUPA health plan – that’s local to you, not just local to the UK, where BUPA is headquartered – then it seems that you don’t have to worry.
According to BUPA, this incident was an insider breach of the Chelsea Manning or Ed Snowden sort, rather than the work of hackers who got in from outside and managed to wander around until they found something of value.
This was an insider attack caused by an employee who deliberately copied (and then tried to delete) data from about 108,000 insurance policies providing cover for 547,000 people.
One silver lining in this story is that the deletion part of the crime didn’t work out, because BUPA is, or has already, contacted affected customers, which it couldn’t have done if it no longer knew who they were.
(You will have heard us urging you to keep proper backups many times – and this gives you one more good reason why!)
A second silver lining is that the employee concerned has been sacked – not that it’s pleasant for anyone to lose their job, but it’s reassuring to know that the person is no longer in any sort of insider position, and therefore can’t easily repeat the attack.
Whether or not that ex-employee will face further civil or criminal charges we don’t yet know.
A third silver lining is that only core customer data was taken – in database terms, it sounds as though customer records were copied, but not any financial or medical records to which the main customer database was linked.
When data gets stolen in a breach of this sort, you know it’s already in the hands of at least one crook, so you need to assume that any number of other criminals have access to it as well.
In this case, BUPA’s own Questions and Answers document suggests that the stolen data has already shown up for sale in the cyberunderground – but even if it hadn’t shown up, who can say how securely the original thief stashed it, whether they showed it to anyone else , and what they planned to do with it next?
Remember that the more personal data that crooks have about you, the more believably they can attack.
In particular, if you’re one of those people who backs yourself to spot any and all phishing emails “because they always start with a dead giveaway such as
Dear Sir/Madam/Other or
…then please think again.
We’ve recently seen phishing campaigns in the UK that were much more believable than usual because they included name and home address details.
Accurate personal details make phishing cover stories – such as allegedly unpaid household bills – sound perfectly reasonable.
Even if you are sure that you don’t owe anything, a realistic fake invoice phish might make you think you are dealing with an honest mistake, rather than realising that you are in the middle of an utterly dishonest attempt to trick you.
As far as we can tell, the address data in the abovementioned attacks, both of which happened in the past year, probably came from an eBay data breach more than three years ago – a reminder that data breaches can have long-lasting consequences even if they sound mostly harmless at first.
What to do?
Whether you’re a BUPA customer or not, keep in mind that crooks regularly share, sell or steal already-breached data with, to and from each other.
Unfortunately, even a smattering of personal data in an email or phone call makes social engineering and phishing attacks more likely to succeed.
- Don’t open unsolicited or unexpected attachments, or click unexpected links, especially not on the say-so of an unknown sender.
Even if the document claims to be an invoice you don’t owe, or threatens you in some way, don’t let fear or uncertainty get the better of you. If the document seems to know who you are – for example, because it contains your full name, your address, your place of work or your bank’s name – don’t assume you can trust it for that reason alone.
- If you’re unsure what to do, ask someone you actually know and trust, such as a friend or family member.
Never ask the sender of the email or the voice on the other end of the phone for advice, no matter how much personal information they trot out to make you think they’re genuine. They will simply tell you what they want you to hear, not what you need to know.
- Keep an eye on your financial statements.
Just in case. Because you can.
(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)
7 comments on “BUPA breach – why names and addresses matter”
Lots of good stuff here, thanks Paul.
Missing word–I vote for “info” (do we pedants still insist “data” is a plural noun?):
A third silver lining is that only core customer was taken
Thanks, Bryan, for your eagle eye – I’ve fixed that.
(I treat data as a plural noun – pedants of the world, unite!)
…so wouldn’t it be “data were taken” instead?
Sorry… feel free to delete this comment; I truly am only trying to help. I try to not be too nitpicky.
A banner outside my office begins with the phrase “In route to the Serengeti…” and that letter “i” bugs me each time I head down the hall.
In modern English there is no question that “data” is a singular noun. To treat it as a plural can prescriptively be considered wrong. (I state that as a fact, not as an opinion 🙂
The reason for that is simple: we no longer use “data” in a way that is consistent with the plural of the still-extant word “datum”.
If you need to pluralise “datum”, write “datums”. (There is no need to use Latin plurals for English words – indeed, my preference is to avoid Latinisms where possible, e.g. “geniuses” and not “genii”.)
*bowing in praise to the Wisdom of the Duck*
Thanks; well I suppose I can stop resisting now–it’s why above I suggested “info,” since “data” sounds funny to me pluralized as well.
Does this strike you as an example of bountiful incorrect usage driving official change?
Similarly, despite that “bimonthly” means every other month, I’ve seen it used (painfully often) to mean twice per month, with some considering “biweekly” and “bimonthly” approximately and paradoxically equal.
Duck wrote “We’ve recently seen phishing campaigns in the UK that were much more believable than usual because they included name and home address details.”
This is not a persuasive approach in the USA. We’ve been conditioned for decades through postal mail with special Publishers Clearing House offers “just for you, Laurence Marks at 123 Elm St., and your neighbors on Elm St.” We know how easy it is to do that. In fact, long before there was MS Word, people were doing mail merges on IBM mainframes, later using WordStar, WordPerfect, and AmiPro.