Bupa fined £175,000: The Risks and Costs of Unauthorized Emails

As the recent Bupa data breach highlighted, the sending of unauthorized emails – an email that is intentionally sent to an unauthorized recipient, such as an employee’s personal email account – can have a detrimental financial and reputational impact upon an organization.

The global insurance and healthcare group’s failure to prevent the exfiltration and attempted sale of over half a million international health insurance customers’ personal information led to a £175,000 fine and a damning evaluation of its negligent security practices.

“Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it. Our investigations found material inadequacies in the way Bupa safeguarded personal data. On top of that, the ICO’s investigation found no satisfactory explanation for them.”

—  Information Commissioner's Office: Director of Investigations, Steve Eckersley

The loss of consumer data can also result in:

  • Breaching contracts or non-disclosure agreements
  • The loss of IP and proprietary research
  • Breaching data protection regulations
  • Heavy fines imposed by regulators and clients (GDPR, in particular, will greatly increase fines for all manner of data breaches)

Despite such demonstrably damaging ramifications, many organizations do not have sufficiently secure networks and, as a result, lack the necessary visibility over how sensitive data is processed and stored. Before they know it, sensitive data is shared, stolen and sold; the damage is done.

For large organizations like Bupa, monitoring thousands of employees and hundreds of thousands of email communications containing millions of pieces of data can seem an insurmountable and relentless task. In 2018, it is estimated that 124.5 billion business emails were sent every day with each employee sending an average of 31 each. These figures are only expected to increase (by at a rate of 3% per annum over the next few years) as corporate email networks grow in size and importance.

Organizations that possess large amounts of highly sensitive patient or consumer data like Bupa have a duty to prevent this kind of data breach from happening. If they cannot monitor or control employee behaviour, they must take the necessary steps to find and invest in an approach and solution that can prevent unauthorized emails from being sent.

It’s crucial to be proactive – rather than reactive – to address this kind of threat

As such, we recommend enterprises employ an email security platform that offers comprehensive protection against the sending of unauthorized emails. Tessian Enforcer, for example, uses machine learning to understand human conversation patterns in order to detect, flag and prevent anomalous emails, which may contain sensitive data, from being sent to unauthorized or personal email accounts.

About Tessian

Tessian is building the world’s first Human Layer Security platform to fulfil our mission to keep the world’s most sensitive data and systems private and secure. Using stateful machine learning to analyze historical email data, Tessian’s Parallax Engine can predict for this user, at this point in time, does this email look like a security threat?

Book a demo to learn more about our email security platform.