USS hack response panned as members report suspicious activity

Lawyers consider bringing joint claim over breach, but pension fund says no evidence personal information stolen during Capita attack is circulating widely

June 13, 2023
Source: iStock

Members of the UK’s largest higher education pensions scheme say the response to their data being hacked has been “wholly inadequate”, as lawyers consider bringing a group case on behalf of those affected.

Anyone who was a member of the Universities Superannuation Scheme (USS) in 2021 was warned last month that files containing their personal details had been accessed by hackers when they targeted the firm Capita, a technology supplier used by the pensions fund.

Names, dates of birth, National Insurance numbers, USS member numbers and retirement dates were all included in the stolen data, potentially affecting 470,000 people. Black Basta, a Russian ransomware gang, claimed responsibility for the attack.

USS has stressed that members’ pensions are secure and Capita has – to date – found no evidence the data stolen was circulating widely.

But several academics who have their pensions with the fund have complained of noticing suspicious activity in the aftermath of the breach. One said there had been multiple unsolicited credit checks on their bank account, while others said they had experienced an influx of spam emails and calls.

Denis Nicole, a reader in electronics and computer science at the University of Southampton and an expert in cybersecurity, said the data that had been compromised “can be used to impersonate someone, with a bit of difficulty”.

But he said the real “danger” was it being used “to give credibility to an incoming phishing email or phone call”.

“The most likely way it can be abused is that you could get a phone call from someone claiming to be USS or the pensions department, using this data as evidence they are genuine, then asking you to do something rash like move money to a different bank account,” he explained.

USS has offered all members a free year-long subscription to Experian’s identity-monitoring service, which Dr Nicole said was “about as basic a level of support as you should get in case of a data breach”.

Tanja Bueltmann, professor of migration and diaspora history at the University of Strathclyde and a USS member, said that far from being proactive support as claimed by USS, the Experian offer “places the onus on members” to monitor for suspicious activity and “any issues that do arise will still have to be dealt with by the member directly”.

She said her major concern was for members’ data in the long term, given that it could be exploited for many years. “What happens when the data of a member is used for fraudulent activity in more than a year’s time? Who is helping the member then and who is liable if something goes really wrong?” she asked.

“With that in mind, my view remains that the USS response so far has been wholly inadequate.”

She said she recognised that many issues were out of USS’ control but its communication had been “basically a masterclass in how not to manage an incident as serious as this”, adding that she and others had not received responses to concerns raised.

Sean Hunter, a partner at the legal firm Leigh Day, confirmed to Times Higher Education that it was in the early stages of bringing a group claim on behalf of USS members against Capita for any financial losses suffered and distress caused.

“It appears to be a serious data breach,” he continued. “This is clearly not trivial information that has been stolen. We’re looking at the merits of any claim, concentrated on Capita. But at the moment we are still trying to establish exactly what has happened.”

A spokesman for USS said it was reviewing the data it had received from Capita but the extent of the breach was in line with what had previously been communicated to members, with “no additional personal data concerned”.

Asked if it would continue to work with Capita, he said USS’ focus was on “supporting its members” but the whole issue was “being kept under regular review”.

On whether members would get compensation, the spokesman said: “When we have greater clarity on these issues, we will pursue whatever avenues might be available in the best interests of all our members.”

And responding to concerns about the response of USS and Capita, he added: “We very much regret that this incident happened and are committed to supporting members through this very unfortunate situation. We are treating complaints we receive from members with the utmost seriousness, and we understand the concern they are experiencing.”

tom.williams@timeshighereducation.com

Register to continue

Why register?

  • Registration is free and only takes a moment
  • Once registered, you can read 3 articles a month
  • Sign up for our newsletter
Register
Please Login or Register to read this article.

Related articles

Reader's comments (2)

I am affected by this and as it happens, my husband's pension from a commercial job was affected in the same attack - the breach was actually suffered by a third party who processes data for several major pension providers. My husband's pension company was equally mediocre in their response (although their letter arrived several days before the email from USS) and they were also unhelpful when he called them up. Neither of us have noticed an uptick in suspicious behaviour or phishing attacks, but both being computer scientists we keep a firm eye on such things as a matter of course.
Experian has a complex process of getting the support.

Sponsored