Southampton UCU Rotating Header Image

Data Breaches, Fraud, and USS

Further advice from a real expert

I was at the Cambridge Cybercrime Conference in June and I had the opportunity to discuss the USS breach with Richard Clayton . His research interests are much closer to cybercrime than mine; he is an acknowledged leader in this field. His key takeaways are:

  • This is a very large breach: consequentially, your individual risk is very low. It is not easy for a criminal to do much with the stolen data. In practical terms, the data loss is not likely to lead directly to an attack. Even your National Insurance number, which is alleged to be confidential, does not present a serious risk.
  • On balance, you probably should take up the free Experian offer, but there are two important caveats:
    • Do not be frightened by the warnings they send to you. Experian’s business model for this product depends on scaring you into continuing with a paid subscription after the free period.
    • Make certain that the sign-up process does not embroil you in “inertia selling” with a requirement that you actively cancel at the end of the free year.
      As you will see below, it does!
  • The benefits of the Experian product are limited; it is probably not good value for you to continue with the paid-for service after the free year. UCU negotiators should confirm with USS that there will be no “inertia selling” or “scare tactics” to induce members to pay for ongoing Experian service.
  • Think hard before you “freeze” your credit; it may have unexpected consequences. For example, it will likely prevent you hiring a car.
  • As always, watch your bank and credit card statements for anything unexpected.
  • There has been frightening publicity about unauthorised student loans or property transactions through the Land Registry. These are not widespread; in most cases you will be sent a physical letter to your home before anything seriously bad happens.

Experian sign-up

I signed up for the “free” Experian “Identity Plus” membership. After I turned off cookies, the site asked for my title, first and last name, date of birth, email address, contact phone number, and mother’s maiden name. At the bottom of this page, it displayed the worrying small print:
The next page wanted my current address, a password, and a memorable word, along with agreement to the Experian terms and conditions. It then made a rather crude identity check, asking me to confirm a credit card supplier I use, and how long I have had it. After that, I was in, with the promise of a Daily Experian Fraud Report.

It encouraged me to enter extra information, including driving licence, passport, credit card and bank account numbers along with additional emails, phones and addresses; I declined. I was then presented with my report. I might be rather boring, but mine contained just five entries, with nothing older than three months. Three were associated with insurance renewals in April; the other two were because I had signed up to this service. They were all marked Won’t impact your credit score. Experian also knew about my credit card (and credit limit) and gas/electric account.

Oddly, they then presented a list of “useful addresses”. These were mainly organisations with whom I used to have some sort of account many years ago; it was not clear why they might still be helpful.

Overall, I did not learn anything useful, and the report seemed more interested in my credit rating than my security. Richard Clayton’s concern seems justified; it looks as if Experian really do hope that I will forget about this “offer” by next year, and find myself paying them nearly £180 per year for a service which appears to be of very little value.

I will post them a letter asking them cancel my membership automatically when the year is up, and to confirm that they will be doing so. It would be good if our USS negotiators could make sure that none of our members are tricked into this substantial annual payment.

Yet another data leak

If you have used MyView recently, you will have seen that it now hosted by Zellis; the URL is now and we are no longer required to enter a “favourite colour” or any other second factor authentication. Sadly, Zellis have also suffered a data breach as part of the wider problem with the MOVEit file transfer software.

We have not been notified that any Southampton staff have been affected.

Fair treatment

To further protect yourself, you might think about moving to a bank which prioritises fair treatment in the event of a loss. The TSB is one of Matin Lewis’s top bank accounts for new switchers. At the Cybercrime conference, Ross Anderson told us that the TSB, uniquely, offers the TSB Fraud Refund Guarantee. Many other banks will routinely accuse customers of “gross negligence” and refuse a refund. These decisions are hard to fight.

USS as an activist investor

UCU HE Sector Conference has passed motions seeking to influence USS investment strategy in 2022, 2021, 2020, 2018 and 2016. Our ethical concerns have included climate change, armaments, and international conflicts. We have made little progress in influencing USS’s behaviour.

While we may not believe that the public water supply should be in private hands, such utilities would, under normal circumstances, be typical of the safe, long-term investments that would be made by a fund such as USS. USS has holdings in both Thames Water and South West Water: the latter through Pennon Group PLC. Sadly, our water and sewerage services are neither the safe custodians of our national infrastructure, not the steady investments for which we might hope.

In this sector, USS is an activist investor. Bill Galvin has said:

We remain of the view that, with an appropriate regulatory environment, the long-term objective of repairing important UK infrastructure and paying pensions to our members are in strong alignment.

Now what can that mean? Is he asking Ofwat not to be too rigorous in cleaning up our rivers? Something similar has come from Thames Water itself:

Shareholders have also acknowledged that delivery of the Turnaround Plan will require the provision of further equity support in AMP8, significantly in excess of the current AMP7 commitment. Indicatively, the AMP8 equity support is expected to be in the region of £2.5 billion, but the nature and level of such medium-term support will depend on the finalisation of the business plan and the regulatory framework that will apply to the AMP8 period.

The USS JNC met last Friday, but our negotiators were unable to learn much:

We pressed USS on Thames Water on Friday at the JNC including on our views on good governance, ethical investment and nationalisation particularly given that USS had invited the former Thames Water CEO Sarah Bentley as their poster-child for successful investment/intervention to the institutions meeting. We did not make much headway, and due to the concerns about requirements under market abuse regulation etc, they were unable to comment on their position. But we will press again at the next JNC as things unfold.
[report by Deepa Govindarajan Driver]

We may feel fortunate that here in Southampton we are not in Thames Water’s area. Sadly, Macquarie Asset Management, who did much to put Thames Water in its current position, have bought a majority stake in our Southern Water.

Denis Nicole

Leave a Reply

Your email address will not be published. Required fields are marked *