Thursday, June 01, 2023

USS-Capita data breach

I got an email from USS on Friday last to inform me that my personal data was "exfiltrated" by hackers.

Copy of that email follows my response below. 

I have not had a response from USS to my email.

To whom it may concern,

 I am writing in response to your email of 26 May advising me that some of my “personal information was held on Capita computer servers accessed by hackers earlier this year”. The personal information compromised includes my title, initial(s), and name, date of birth, National Insurance number, USS member number and retirement date.

 You use Capita, a firm with a history of IT failures, to support “in-house pension administration”. You claim “Capita confirm that they have taken extensive steps to recover and secure the data”. Please specify precisely what these extensive steps are and how they will lead to the recovery and security of the data.

You state you “very much regret this has happened” and are “committed to supporting” me.

 This support consists of advice, with no sense of irony, that I

 “should only ever give out personal information if you are absolutely sure you know who you are communicating with”

 and a 12-month membership to Identity Plus, a monitoring service provided by Experian.

 In addition to the personal details you have shared through Capita with the criminal underworld and now with Experian, you explain that Experian will also require extra personal details to sign up for their “free” service. I understand from colleagues who have attempted to sign up for this free Experian service that the company has taken the opportunity of a captive USS membership audience to market its premium services during the sign-up process. Classy.

 Essentially you require me to provide a dominant data broker, Experian, with multiple personal details, in addition to that data you have already exposed, in order that I can get them to help me check if I have been the victim of identity theft for the next 12 months. The victims whose personal data was “exfiltrated” from Capita are tasked with monitoring the potential misuse of that data and identity fraud facilitated by the negligence of USS and Capita.

 There is no indication in your communication of the substantive actions USS and Capita are proposing to take in response to this serious data breach.

 Not to mention, as recently as the end of 2022, your chosen fraud monitoring vendor, Experian, itself had a glaring security weakness in its website, enabling anyone to access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. By coincidence amongst the very same data details you and your partner, Capita, have released to crime syndicates and miscellaneous other nefarious economic actors.

 You say I have to sign up for the Experian service by 24 August and it will give me access to the following features:

•             Unlimited access to your Experian Fraud Report.

•             Credit Alerting – an email or SMS to let you know when certain changes happen on your Experian Credit Report, such as the addition of a new credit search.

•             Web monitoring – an alert by email or SMS which confirms that personal information has been found on the dark web.

•             Access to Experian’s Victims of Fraud service if you do become a victim of fraud, who will support you in resolving fraud that has occurred.

•             If you are at higher risk of fraud, Experian can add protective Cifas registration to your Credit Report which can help prevent credit being taken in your name.

And that if I have any questions I should take them up with Experian’s call centre. You cannot even be bothered to familiarise yourselves with the specific details of the service you wish the USS membership to sign up for, in response to the data breach for which USS and Capita are responsible?

 Well I do have questions for you about this Experian service that you should, at a minimum, be able to answer –

 If I do become a victim of fraud, will access to Experian’s “Victims of Fraud” service incur extra charges, accruing to me, depending on the extent, duration and complexity of the fraud?

 What specific support is involved here, in the worst case scenario?

 What if I become the victim of fraud a year and a day from now?

 If I am at higher risk of fraud and Experian add protective Cifas registration to my Credit Report, what are the implications of this and what are the ongoing costs?

 Why is there a 12-month time limit on the identity monitoring service? Notwithstanding Capita’s empty claim to “have taken extensive steps to recover and secure the data”, the sensitive personal information is now in the wild, permanently. The threat of identity fraud associated with this data breach has no end date.

 On Capita:

 The nature of the incident should be considered worthy of terminating USS contracts with Capita but given that is unlikely,

 Is USS continuing to share personal data with Capita?

 How can you be sure, given Capita’s own lack of satisfactory response to this incident and its history of IT failures and unethical practices e.g. in bullying vulnerable people over TV licences, that there will not be issues in the future? Capita have provided absolutely no indication that they are capable of managing this incident effectively or robustly.

 Why did USS trust Capita with such sensitive information in the first place?

 What processes did USS have in place to audit and monitor Capita’s collection, processing, storage and security of sensitive USS member records?

 Who, how, why, through what means, when and where did external actors get access to and “exfiltrate” USS members’ data through Capita’s systems?

 More generally:

 What specific steps are you taking to improve USS security immediately and in the medium and long term?

 What specific investigations are you undertaking to understand the causes of this serious data breach?

 When, at the very least, are you going to issue USS members with new membership numbers?

 Are you going to consult with government about the possibility of getting USS members issued with new National Insurance numbers?

 The sheer casualness of your response to this serious information security incident and the offloading of the burden of addressing the risk & harm of fraud arising from it onto the shoulders of individual USS members, is both shocking and shameful.

 Yours faithfully,

 Ray Corrigan 

 USS email below.