A month to the day from when I wrote to them about the USS Capita data breach, I have finally had a response from USS:
"Dear Ray
We use member number as an identifier (like a name) not a verifier (i.e., checking who you claim to be). A person contacting USS to make changes to a pension would need to know additional information. So, changing your member number won’t be necessary.
Unfortunately, we cannot be more specific at the moment with the questions you have raised.
We are proactively engaging with Capita in respect of their ongoing investigation and hope to find out more information soon.
All the current information we have to hand can be found on our Capita Cyber Hub on our website, www.uss.co.uk. The hub is being updated with any additional information as soon as it is known.
I understand this may not be the answer you are looking for, but if you wish to submit a comment or complaint in the interim, please visit our comments and complaints page for more information.
(https://www.uss.co.uk/about-us/how-were-governed/comments-and-complaints)
If you have any further questions, please visit our website at uss.co.uk and our Questions and Answers document located on the homepage.
Kind regards
XXXX XXXX
Member Support Team
Universities Superannuation Scheme Ltd | Royal Liver Building | Liverpool L3 1PY
mydata@uss.co.uk | 0333 300 1043
In short:
- They claim again "privacy and security is a top priority" for them
- Issuing of new membership numbers "won't be necessary"
- They "cannot be more specific...with the questions" I have asked
- They are "proactively engaging with Capita...and hope to find out more information soon"
On the stages of incident response, how should we rate USS & Capita?
- Preparation - failed
- Identification - failed and sat on breach for too long before notifying membership
- Containment - failed and failing
- Eradication - failing
- Recovery - based on ongoing impact on USS membership, spectacularly failing
- Lessons learned - failing
