News: 1717077731

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Cybercriminals raid BBC pension database, steal records of over 25,000 people

(2024/05/30)


The BBC has emailed more than 25,000 current and former employees on one of its pension schemes after an unauthorized party broke into a database and stole their personal data.

Names, national insurance numbers, dates of birth, sexes, and home addresses were included in the data that was exposed via a cloud database used by the [1]BBC Pension Scheme's admin team, it told El Reg .

No financial information or login credentials were compromised, and the incident didn't affect the integrity of the scheme itself, its website, or the portal used by scheme members to manage their investments.

[2]

The incident was detected on May 21 by the BBC's infosec team, who brought in outside experts to help dig into the case. Results of the investigation, which is still ongoing, indicate that the stolen data hasn't been misused at present, and the database has now been locked down.

[3]

[4]

Every one of the circa 25,290 scheme members affected has been offered two years' worth of credit monitoring – Experian Identity Plus for UK residents and Experian IdentityWorks for those who absconded to enjoy retirement abroad. But that still hasn't appeased members who wrote to Vulture Central, who were quite clearly ticked off at the email notification they received on Wednesday evening.

A BBC Pension Scheme spokesperson said in a statement: "We sincerely apologize to members affected by this and appreciate this will be concerning. We want to reassure members that the BBC has responded quickly and that the source of the incident has been secured. We are working at pace with specialist teams internally and externally to understand how this happened and to monitor the situation. As a precaution, additional security measures have also been put in place.

[5]

"Whilst there is no action members need to take, it is important to be vigilant for any activity that seems unusual. We have written/are writing to members affected informing them of the incident, along with advice and support through our website and pension service line. We are also offering Scheme members affected free access to the Experian Identity Plus credit and web monitoring service, as an additional layer of security should they wish to use it.

"The incident has been reported to the [6]Information Commissioner's Office and the Pensions Regulator."

The BBC Pension Scheme stopped accepting new members in 2010 and according to its [7]2023 accounts [PDF], there are currently 58,787 members on the scheme, meaning just under half were impacted by the data theft.

[8]

The scheme was closed due to financial difficulties it owed to the 2008 crash, the Beeb's then-CFO Zarin Patel explained in a [9]blog post . The value of the fund tumbled and as a result, the broadcaster made controversial changes that essentially reduced the payout for members.

Its generous public sector pension was considered a decent tradeoff for a BBC salary that wasn't as competitive as rival commercial broadcasters. Commenters under Patel's blog post said they felt "sick" after learning of the changes.

Members who joined the BBC after December 10, 2010, were enrolled in its "LifePlan" defined contribution plan.

[10]Miscreants claim they've snatched 560M people's info from Ticketmaster

[11]2.8M US folks learn their personal info was swiped months ago in Sav-Rx IT heist

[12]Council claims database pain forced it to drop apostrophes from street names

[13]BBC exterminates AI experiments used to promote Doctor Who

This week's incident is also the second major data theft incident at the Beeb in the space of a year. The broadcaster was one of the earliest major organizations to have been affected by [14]Cl0p's mega-raid on unpatched MOVEit MFT users last year.

Third party payroll services provider Zellis was the source of the data leak, which also impacted British Airways, Aer Lingus, and high-street cosmetics retailer Boots.

The BBC said dates of birth, home addresses, national insurance numbers, and staff ID numbers were among the data types stolen in that break-in.

Security biz Emsisoft, which has been [15]tracking MOVEit victims since May 2023, currently pegs the number of orgs whose data has been stolen using the flaw globally to be 2,773, affecting more than 95 million individuals. ®

Get our [16]Tech Resources



[1] https://www.bbc.com/mypension/about-the-scheme/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zliin8m1Pxh4-YSwxomnDAAAAE4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zliin8m1Pxh4-YSwxomnDAAAAE4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zliin8m1Pxh4-YSwxomnDAAAAE4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zliin8m1Pxh4-YSwxomnDAAAAE4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2024/04/22/ico_google_privacy_sandbox/

[7] https://downloads.bbc.co.uk/mypension/en/report_and_accounts_2023.pdf

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zliin8m1Pxh4-YSwxomnDAAAAE4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[9] https://www.bbc.co.uk/blogs/aboutthebbc/2010/06/changes-to-the-bbc-pension-sch.shtml

[10] https://www.theregister.com/2024/05/29/breachforums_ticketmaster_data/

[11] https://www.theregister.com/2024/05/28/savrx_data_theft/

[12] https://www.theregister.com/2024/05/07/north_yorkshire_council_blames_databases/

[13] https://www.theregister.com/2024/03/27/bbc_ends_doctor_who_ai_experiments/

[14] https://www.theregister.com/2023/06/05/british_airways_boots_moveit/

[15] https://www.emsisoft.com/en/blog/44123/unpacking-the-moveit-breach-statistics-and-analysis/

[16] https://whitepapers.theregister.com/



Give it time

Falmari

"Results of the investigation, which is still ongoing, indicate that the stolen data hasn't been misused at present"

Give it time the incident was only detected on May 21.

Get our data OFF the internet

m4r35n357

I no longer believe there is _any_ organization capable of protecting our personal information these days. If it has to be paper, so be it - you had your chance and failed!

Re: Get our data OFF the internet

Bertieboy

D'accord!

Re: Get our data OFF the internet

Ball boy

Agreed.

Remind we why this kind of data moved to the cloud - and how such a decision sits with the inevitable 'We take the security of client data seriously' statement that some middle-tier wonk will be obliged to make. I can't for a moment imagine the choice was made on cost grounds!

sitta_europea

It's like the bowl of petunias said...

And it's odd that this doesn't seem to have been reported on the BBC News Website yet.

Names, national insurance numbers, dates of birth, sexes, and home addresses

JimmyPage

Could have been worse. Could have been their genders

Gosh that takes me back... or is it forward? That's the trouble with
time travel, you never can tell."
-- Doctor Who, "Androids of Tara"