BBC Pension Scheme: the latest cyber security victim in the pensions industry, Samantha Howell

On 21 May 2024, the BBC Pension Scheme, which provides benefits to over 50,000 people, was alerted to a "data security incident" affecting more than 25,000 members. Files containing information on members' names, National Insurance numbers, dates of birth and home addresses were "copied from an online data storage service".

A statement has been released confirming that the source of the breach has been secured and an investigation has been launched. This statement also says that there is currently no evidence of “misuse” of the copied files (but the situation is under close monitoring) and that the scheme is "working at pace with specialist teams internally and externally to understand how this happened". No information has been shared publicly on who might be responsible for the incident.

Fortunately, it is currently understood that no bank details, phone numbers, passwords or email addresses were leaked as a result of the incident as the affected files were copied, not removed. The scheme has assured its members that there has been "no impact to the operations" of the scheme, and the incident has been reported to the Information Commissioner’s Office (ICO) and the Pensions Regulator (TPR).

Comment

TPR has made it clear in its latest cyber security guidance published in December 2023 and in its intervention report on the Capita cyber incident published in February 2024 that prompt communication with members impacted by a cyber incident should be prioritised.

In the case of this attack, the BBC Pension Scheme certainly appears to have met those TPR expectations, given that it is reported that the scheme was only made aware of the incident on 21 May and a statement and FAQs have already been published on the BBC’s website.

How we can help

Cyber security is an increasingly recurring theme in pension news. With schemes managing the personal data and assets of thousands of members, TPR is placing greater expectations on trustees to manage cyber risks and is holding them accountable when breaches occur.

Burges Salmon has designed a Cyber Security Package offering to meet the minimum cyber security expectations for trustees under TPR’s cyber security guidance and the General Code of Practice. You can find more information in our Cyber Security Compliance Trustee Checklist and you can learn about our team’s experience in advising pension schemes in relation to cyber security here.

If you are interested in finding out more about our Cyber Security Package or you have any questions on our wider cyber security offerings, please contact Richard Pettit or Samantha Howell.

{

"[the scheme is] working at pace with specialist teams internally and externally to understand how this happened"

https://www.bbc.co.uk/mypension/news/240528