Hackers attack BBC pensions database, stealing records of more than 25,000 people

The BBC has sent emails to more than 25,000 current and former employees of one of its pension schemes after an unauthorized party hacked into the database and stole their details.

Names, national insurance numbers, dates of birth, gender and home addresses are included in the cloud-based data used by the BBC Pension Scheme management team, it said. The Reg.

No financial information or credentials were compromised, and the incident did not affect the integrity of the project itself, the website, or the website used by project members to manage their investments. see.

The incident was discovered on 21 May by the BBC’s infosec team, which brought in outside experts to help dig into the case. The results of the ongoing investigation show that the stolen data has not been misused yet, and the database has been locked down.

Each of the approximately 25,290 members involved has been offered a two-year credit check – Experian Identity Plus for UK residents and Experian IdentityWorks for retirees to enjoy their retirement abroad. But that hasn’t satisfied members who wrote to Vulture Central, which was made clear in an email notification they received Wednesday evening.

A spokesperson for the BBC Pension Scheme said in a statement: “We apologize to members affected by this and appreciate it. We want to reassure members that the BBC has responded quickly and that the source of the incident has been secured. We are working swiftly with the teams.” of experts inside and outside to understand how this happened and to monitor the situation As a security, other security measures have also been made.

“While there is no action to be taken by members, it is important to be on the lookout for any incident that appears unusual. We have written/are writing to affected members to inform them of this incident, along with advice and support through our website and pensions service. We also offer affected Scheme members free access to Experian Identity Plus credit and web checking services, as an extra safeguard if they wish to use it.

“This incident has been reported to the Office of the Information Commissioner and the Pensions Regulator.”

The BBC Pension Scheme stopped accepting new members in 2010 and is due to report in 2023. [PDF]there are currently 58,787 members in the scheme, meaning less than half have been affected by data theft.

The project was closed due to financial problems it owed due to the crash of 2008, the Beeb’s then-CFO Zarin Patel explained in a blog post. The value of the fund dropped and as a result, the broadcaster made controversial changes that reduced membership fees.

Its large public pension was considered a good deal for the BBC’s salary which was not as competitive as rival commercial broadcasters. Critics of Patel’s blog post said they felt “sick” after learning of the changes.

Members who joined the BBC after December 10, 2010, are enrolled in the “LifePlan” defined contribution plan.

This week’s incident is also the second major data breach at the Beeb this year. The broadcaster was one of the first major organizations to be hit by Cl0p’s massive attack on unregistered MOVEit MFT users last year.

Third-party service provider Zellis was the source of the data leak, which affected British Airways, Aer Lingus, and high street cosmetics retailers.

The BBC said that dates of birth, home addresses, national insurance numbers and employee ID numbers were among the types of data stolen during the hack.

Security biz Emsisoft, which has been tracking MOVEit victims since May 2023, now confirms the number of orgs whose data has been stolen using the vulnerability worldwide at 2,773, affecting more than a million people 95. ®