Earlier this week USS, the main pension fund for lecturers and university staff, wrote to their members to inform them that their data had been stolen in a hack. The hack, thought to be by a well-known Russian ransomware team, occurred on March 31st. But it took until this week, almost 2 months later, for USS to write to members informing them that their data may have been compromised.
The hack on March 31st was part of a major cyber attack on outsourcing company Capita. During that attack Capita employees were unable to log into their laptops, with their usual password rejected as “incorrect”. In addition to being responsible for the security of lecturers’ pensions, Capita, which employs 50,000 people in the UK, has £1.9bn of contracts with the Ministry of Defence, including recruitment for the British army, maintenance at the UK’s Submarine Training Centre, and fire and rescue for the Ministry of Defence. It also has £2 billion worth of contracts with the Department for Work and Pensions.
On April 3rd, Capita issued a press release saying: “The issue was limited to parts of the Capita network and there is no evidence of customer, supplier or colleague data having been compromised.” But now USS has told their members that anybody who joined the scheme post-2021 may have had their name, address, date of birth and national insurance number stolen. This information could well facilitate the creation of false accounts in the person’s name allowing for them to apply for loans etc. As Dr Eleanor Drage, a senior researcher at Cambridge University, told the BBC: “I’ve got the whole of my career ahead of me and my personal and pension data is now forever out in the wild.” Whilst USS have offered to provide free access to Experian, a credit fraud company, Dr Drage said that this was “not a resolution, it’s an insult”.
Meanwhile, the Information Commissioners Office (ICO) said that they had heard from around 90 organisations who believed that Capita had allowed their data to be accessed. For those affected it will mean a long period of stress over who has their data and what uses they may put it to.
The wider political issue is that public sector organisations are increasingly reliant upon outsourcing vital services to private providers. We work our entire lives paying into pension funds to enable us to enjoy some measure of dignity in our post-work lives. All we ask is that the companies protecting our investments are competent. Increasingly they are more interested in profits and when these breaches occur, instead of putting their hands up, they spend their time issuing bland, but false, reassurances.
It was left to Southampton UCU Executive Committee to offer the following advice, which is pertinent to all of us and not just to those who have been affected by this particular breach.
- Don’t engage with anybody who contacts you knowing your NI, DoB or retirement date, they are likely to be a fraudster.
- Protect yourself against identity theft by, for example, putting a restriction on the land register which prevents somebody impersonating you to gain access to the deeds of your house.
- Treat this as a “wake up call” to adopt better personal cybersecurity practices. They recommend best practice as suggested by NCSC.
We look forward to a day when fraudsters are no longer preying on those they consider weak or vulnerable. There are no victimless crimes here. When a large organisation, such as USS, is held to ransom, they can only pay by using money which would otherwise be spent on the pensions of their members. That the companies operate without any adequate regulation is testament to the free market zealots who control our parliament and civil life. Only when we take control ourselves will we be able to monitor effectively what is happening to the billions of pounds ordinary workers have invested in pension funds. Sadly, that day is a way off yet.