BBC Pension Scheme investigates data leak
Pardon the Interruption
This article is just an example of the content available to mallowstreet members.
On average over 150 pieces of new content are published from across the industry per month on mallowstreet. Members get access to the latest developments, industry views and a range of in-depth research.
All the content on mallowstreet is accredited for CPD by the PMI and is available to trustees for free.
The BBC Pension Scheme is investigating a data breach in which the personal details of pension scheme members were copied from a cloud storage service. It has told members that there is currently no evidence the files have been misused but is urging them to stay vigilant.
On 21 May, the national broadcaster’s information security team made the scheme aware of a breach in which files with the personal information of BBC Pension Scheme members were copied from a cloud storage service used by the scheme’s administration team. The data includes names, national insurance numbers, dates of birth, sex and home addresses of some scheme members.
The scheme said it is working “at pace” with specialist internal and external teams to understand how this happened, noting that the Information Commissioner’s Office and the Pensions Regulator have been notified.
“We sincerely apologise to members affected by this and appreciate this will be concerning. We want to reassure members that the BBC has responded quickly and that the source of the incident has been secured,” a spokesperson for the scheme said. “As a precaution, additional security measures have also been put in place.”
The spokesperson stressed that the leaked information did not contain any bank details, financial information, telephone numbers, email addresses, usernames or passwords, and that it did not involve the scheme’s website or member portal.
Members were urged to be vigilant for unusual activity nonetheless. The scheme, as well as providing advice and support online and over the phone, is offering the affected members two years of free access to the Experian Identity Plus credit and web monitoring service.
The scheme said it does not know who is responsible at this stage, but that investigations are ongoing. It emphasised that analysis undertaken by specialist teams currently shows no evidence that the affected files have been misused.
As the data files involved were copies, there is no impact on the operations of the scheme.
Earlier this year, the Pensions Regulator set out key steps trustees should take during a cyber security incident, in an intervention report on a hack at pensions administrator Capita in 2023. The outsourcing firm expects the incident to cost it between £20m and £25m.
In May, the ICO urged all organisations to up their game on cyber security as its trend data found more than ever are experiencing breaches that put people’s personal information at risk. Over 3,000 cyber breaches were reported to the ICO in 2023, led by finance (22%), retail (18%) and education (11%).
Perhaps surprisingly, identity theft is not a recordable crime in the UK.
