International health insurance provider Bupa Global recently acknowledged that an employee had inappropriately accessed and removed information on 108,000 health insurance policies covering a total of 547,000 current and former customers.
The exposed data includes names, birthdates, nationalities, contact details, and administrative information including Bupa membership numbers.
"This was not a cyber attack or external data breach, but a deliberate act by an employee," Bupa Global managing director Sheldon Kenton said in a statement. "We have introduced additional security measures and increased our customer identity checks."
"A thorough investigation is underway and we have informed the FCA and Bupa's other U.K. regulators," Kenton added. "The employee responsible has been dismissed and we are taking appropriate legal action."
Imperva director of security research Itsik Mantin told eSecurity Planet by email that the Bupa breach is yet another reminder that data breaches caused by insiders are both real and serious. "Because the problem begins with users that have legitimate access to enterprise data, attacks from the inside can be present for long periods of time before finally being detected," he said.
Handling Employee Access
And the threat doesn't end when the employee leaves the company. A recent OneLogin survey of 500 U.S.-based IT decision makers found that 20 percent of respondents said failure to de-provision employees from corporate applications had led to a data breach at their organization.
A quarter of respondents said they don't know how long accounts remain active once the employee has left the company, and 44 percent aren't confident that former employees have been removed from corporate networks at all. Forty-one percent of respondents aren't currently using a security information and event management (SIEM) system to monitor employee application usage and detect threats.
"The bottom line is that companies aren't following very basic but essential security measures around employee provisioning and de-provisioning," OneLogin CISO Alvaro Hoyos said in a statement. "This should be a cause for concern among business leaders, especially considering how many data breaches are caused by ex-employees."
Rapid Incident Response
Paul Edon, director of international customer services at Tripwire, said knowing what data is where is the first step in ensuring security. "Then, controlling not only who has access to said data but also the level of access would be the next step, ensuring each individual has only the access necessary to do their job," he said. "This can reduce the risk of an insider threat greatly."
"However, should a breach happen, it is imperative that the breached company has a rapid response," Edon added.
Speedy incident response can make a huge difference. According to a recent Aberdeen Group report, doubling detection and response speed to cyber attacks produces a 70 percent reduction in impact on the availability of enterprise computing infrastructure -- and improvements to detection and response speed following a breach produce a median reduction of 30 percent in impact on the business.
Plixer director of strategic relationships and marketing Bob Noel said by email that Aberdeen's report should be a wake-up call to the board room that security strategies have to change. "Time to resolution is paramount, and with the growing velocity of breaches, strategies must shift from a primary focus on prevention to one of effective incident response," he said.