Monday, June 26, 2023

USS data breach response to my questions

A month to the day from when I wrote to them about the USS Capita data breach, I have finally had a response from USS:

"Dear Ray

 I apologise for the delay in replying, we are currently receiving a very high volume of enquiries so we may take longer than usual to respond. We thank you for your patience, as we work our way through each query.

 We take onboard your feedback below and we want to apologise and assure you that data privacy and security is a top priority for us.

 We use member number as an identifier (like a name) not a verifier (i.e., checking who you claim to be). A person contacting USS to make changes to a pension would need to know additional information. So, changing your member number won’t be necessary. 

 Unfortunately, we cannot be more specific at the moment with the questions you have raised.

 We are proactively engaging with Capita in respect of their ongoing investigation and hope to find out more information soon.

 All the current information we have to hand can be found on our Capita Cyber Hub on our website, The hub is being updated with any additional information as soon as it is known.

 I understand this may not be the answer you are looking for, but if you wish to submit a comment or complaint in the interim, please visit our comments and complaints page for more information.


 If you have any further questions, please visit our website at and our Questions and Answers document located on the homepage.

 Kind regards

             XXXX XXXX

Member Support Team
Universities Superannuation Scheme Ltd | Royal Liver Building | Liverpool L3 1PY | 0333 300 1043"

In short:

  • They claim again "privacy and security is a top priority" for them
  • Issuing of new membership numbers "won't be necessary"
  • They "cannot be more specific...with the questions" I have asked
  • They are "proactively engaging with Capita...and hope to find out more information soon"

On the stages of incident response, how should we rate USS & Capita?

  • Preparation - failed
  • Identification - failed and sat on breach for too long before notifying membership
  • Containment - failed and failing
  • Eradication - failing
  • Recovery - based on ongoing impact on USS membership, spectacularly failing
  • Lessons learned - failing