A month to the day from when I wrote to them about the USS Capita data breach, I have finally had a response from USS:
I apologise for the delay in replying, we are currently receiving a very high volume of enquiries so we may take longer than usual to respond. We thank you for your patience, as we work our way through each query.
We use member number as an identifier (like a name) not a verifier (i.e., checking who you claim to be). A person contacting USS to make changes to a pension would need to know additional information. So, changing your member number won’t be necessary.
Unfortunately, we cannot be more specific at the moment with the questions you have raised.
We are proactively engaging with Capita in respect of their ongoing investigation and hope to find out more information soon.
All the current information we have to hand can be found on our Capita Cyber Hub on our website, www.uss.co.uk. The hub is being updated with any additional information as soon as it is known.
If you have any further questions, please visit our website at uss.co.uk and our Questions and Answers document located on the homepage.
Member Support Team
Universities Superannuation Scheme Ltd | Royal Liver Building | Liverpool L3 1PY
email@example.com | 0333 300 1043
- They claim again "privacy and security is a top priority" for them
- Issuing of new membership numbers "won't be necessary"
- They "cannot be more specific...with the questions" I have asked
- They are "proactively engaging with Capita...and hope to find out more information soon"
On the stages of incident response, how should we rate USS & Capita?
- Preparation - failed
- Identification - failed and sat on breach for too long before notifying membership
- Containment - failed and failing
- Eradication - failing
- Recovery - based on ongoing impact on USS membership, spectacularly failing
- Lessons learned - failing