What happened and when?
On the 21 May, the 91热爆’s information security team alerted us to a data security incident, in which some files containing personal information of 91热爆 Pension Scheme members records were copied from a cloud-based data storage service used by our administration team.
The files include personal details including names, National Insurance numbers, dates of birth, sex and home addresses of some pension scheme members.
The information did not contain any bank details, financial information, usernames or passwords. It did not involve the Pension Scheme website or our member portal: myPension Online, or existence checking service: myPensionID. It is also important to note that analysis undertaken by our specialist teams currently shows no evidence that the affected files have been misused.
The incident has been reported to the Information Commissioner’s Office and the Pensions Regulator.
How will I know if my data has been disclosed?
We will contact you directly if you are affected. Emails were sent to affected members from mypension@bbc.co.uk on 29 May 2024. If we don’t hold an email address for you and you are affected we will be writing to you in the next few days.
It is always important to be alert to data and cyber security and we would encourage members to be cautious of any unsolicited and unexpected communications that ask for your personal information or ask you to take unexpected steps. This includes unexpected letters, telephone calls, texts or emails and information that refers you to a web page. Please also avoid responding to, clicking on links, or downloading attachments from suspicious email addresses. If you are unsure don’t respond.
If there are any questions or concerns, members can contact the pension service line by emailing mypension@bbc.co.uk or by calling 0303 081 2848.
What information was disclosed?
Investigations have confirmed the information contained some personal details of some of our 91热爆 Pension Scheme members. This information included names, National Insurance numbers, dates of birth, sex and home addresses.
This information did not contain any bank details, financial information, usernames or passwords. It did not involve the Pension Scheme website or our member portal: myPension Online, or existence checking service: myPensionID. It is also important to note that analysis undertaken by our specialist teams currently shows no evidence that the affected files have been misused.
Is the system now secure?
We take this incident extremely seriously and are working at pace with specialist teams internally and externally to understand how this happened. The source of the information has been identified and secured. We have also put additional security measures in place and investigations continue. Our experts are monitoring the situation for unusual activity.
The data files involved were copies and there is therefore no impact to the operations of the Scheme which continues as normal.
Is the information still available in any way?
The information can no longer be accessed from the original source, and we have not yet seen any evidence of the information being available elsewhere. We are continuing to monitor this closely.
Do we know who has taken my personal information?
Investigations are ongoing, but at this stage we do not know who is responsible.
What should I do if my data has been released?
Analysis undertaken by our specialist teams currently shows no evidence that the affected files have been misused, but this continues to be monitored.
Whilst there is no specific action you need to take, it is always important to be alert to data and cyber security. We encourage members to be cautious of any unsolicited and unexpected communications that ask for your personal information or ask you to take unexpected steps. This includes unexpected letters, telephone calls, texts or emails and information that refers you to a web page. Please also avoid responding to, clicking on links, or downloading attachments from suspicious email addresses. If you are unsure don’t respond.
We recommend the use of strong passwords and Two Factor Authentication where available, particularly for your important online services. Two Factor Authentication is an enhanced security method that requires two forms of identification to access resources and data.
We appreciate any incident involving personal data is worrying and we are offering Scheme members affected 24 months of free access to the credit and web monitoring service.
Members affected received more information about this service and details of how to access it in their individual letters or emails.
You can find general guidance and advice at National Cyber Security Centre.
What might illegitimate use of my data look like?
Should someone attempt to impersonate you to attempt access to your accounts, or to create a new account, you may see indications such as an unexpected text message or email about activity around your account/login, or asking you to confirm it is you who is about to attempt an action.
If you are unsure, do not approve any request and contact the service or organisation, and ask for their fraud department.
Always use verifiable contact details that are already in your possession or on paperwork you have received.
Do not use contacts or links in unexpected emails or text messages.
I鈥檓 having problems signing up to Experian Identity Plus, what should I do?
Please call Experian鈥檚 dedicated helpline on 03444 818182 which is open Monday-Friday from 8am-6pm. They will be able to help you with any questions on the registration and sign-up process.
I already have Experian Identity Plus. Can I benefit from the free two year membership being offered?
Yes, any Scheme member affected by this incident can benefit. This offer is for two years from now regardless of whether you already have Experian coverage.
You simply need to reregister for the service following the details outlined in your letter.
I live overseas, can I register for Experian Identity Plus?
If you do not have a UK residence and permanently live overseas then you will not be able to use the Identity Plus service. Instead, you may be able to register for Experian鈥檚 IdentityWorks service which is available in the following jurisdictions: Australia, Austria, Brazil, Canada, Denmark, Finland, France, Germany, Hong Kong, India, Ireland, Italy, Malaysia, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Singapore, Spain, South Africa, Sweden, Switzerland, Turkey, United States, Puerto Rico, Guam and US Virgin Islands. IdentityWorks monitors the web, social networks and public databases on your behalf 24/7, looking for your details to immediately detect theft, loss or disclosure of your vital personal and financial information. If your information is found, you鈥檒l be instantly alerted and given help and advice on what to do next to protect yourself from fraud. More detail, including how to register for IdentityWorks, is provided in the email or letter sent to affected members.
I live overseas and am having problems registering for Experian IdentityWorks, what should I do?
IdentityWorks has email support only and any questions about the service should be directed to globalidworks@experian.com. They will be able to help you with any questions on the registration and sign-up process.