Further advice from a real expert
I was at the Cambridge Cybercrime Conference in June and I had the opportunity to discuss the USS breach with Richard Clayton . His research interests are much closer to cybercrime than mine; he is an acknowledged leader in this field. His key takeaways are:
- This is a very large breach: consequentially, your individual risk is very low. It is not easy for a criminal to do much with the stolen data. In practical terms, the data loss is not likely to lead directly to an attack. Even your National Insurance number, which is alleged to be confidential, does not present a serious risk.
- On balance, you probably should take up the free Experian offer, but there are two important caveats:
- Do not be frightened by the warnings they send to you. Experian’s business model for this product depends on scaring you into continuing with a paid subscription after the free period.
- Make certain that the sign-up process does not embroil you in “inertia selling” with a requirement that you actively cancel at the end of the free year.
As you will see below, it does!
- The benefits of the Experian product are limited; it is probably not good value for you to continue with the paid-for service after the free year. UCU negotiators should confirm with USS that there will be no “inertia selling” or “scare tactics” to induce members to pay for ongoing Experian service.
- Think hard before you “freeze” your credit; it may have unexpected consequences. For example, it will likely prevent you hiring a car.
- As always, watch your bank and credit card statements for anything unexpected.
- There has been frightening publicity about unauthorised student loans or property transactions through the Land Registry. These are not widespread; in most cases you will be sent a physical letter to your home before anything seriously bad happens.
Experian sign-up
I signed up for the “free” Experian “Identity Plus” membership. After I turned off cookies, the site asked for my title, first and last name, date of birth, email address, contact phone number, and mother’s maiden name. At the bottom of this page, it displayed the worrying small print:
The next page wanted my current address, a password, and a memorable word, along with agreement to the Experian terms and conditions. It then made a rather crude identity check, asking me to confirm a credit card supplier I use, and how long I have had it. After that, I was in, with the promise of a Daily Experian Fraud Report.
It encouraged me to enter extra information, including driving licence, passport, credit card and bank account numbers along with additional emails, phones and addresses; I declined. I was then presented with my report. I might be rather boring, but mine contained just five entries, with nothing older than three months. Three were associated with insurance renewals in April; the other two were because I had signed up to this service. They were all marked Won’t impact your credit score. Experian also knew about my credit card (and credit limit) and gas/electric account.
Oddly, they then presented a list of “useful addresses”. These were mainly organisations with whom I used to have some sort of account many years ago; it was not clear why they might still be helpful.
Overall, I did not learn anything useful, and the report seemed more interested in my credit rating than my security. Richard Clayton’s concern seems justified; it looks as if Experian really do hope that I will forget about this “offer” by next year, and find myself paying them nearly £180 per year for a service which appears to be of very little value.
I will post them a letter asking them cancel my membership automatically when the year is up, and to confirm that they will be doing so. It would be good if our USS negotiators could make sure that none of our members are tricked into this substantial annual payment.
Yet another data leak
If you have used MyView recently, you will have seen that it now hosted by Zellis; the URL is now https://soton.hcm.zellis.com/myview/ and we are no longer required to enter a “favourite colour” or any other second factor authentication. Sadly, Zellis have also suffered a data breach as part of the wider problem with the MOVEit file transfer software.
We have not been notified that any Southampton staff have been affected.
Fair treatment
To further protect yourself, you might think about moving to a bank which prioritises fair treatment in the event of a loss. The TSB is one of Matin Lewis’s top bank accounts for new switchers. At the Cybercrime conference, Ross Anderson told us that the TSB, uniquely, offers the TSB Fraud Refund Guarantee. Many other banks will routinely accuse customers of “gross negligence” and refuse a refund. These decisions are hard to fight.
USS as an activist investor
UCU HE Sector Conference has passed motions seeking to influence USS investment strategy in 2022, 2021, 2020, 2018 and 2016. Our ethical concerns have included climate change, armaments, and international conflicts. We have made little progress in influencing USS’s behaviour.
While we may not believe that the public water supply should be in private hands, such utilities would, under normal circumstances, be typical of the safe, long-term investments that would be made by a fund such as USS. USS has holdings in both Thames Water and South West Water: the latter through Pennon Group PLC. Sadly, our water and sewerage services are neither the safe custodians of our national infrastructure, not the steady investments for which we might hope.
In this sector, USS is an activist investor. Bill Galvin has said:
Now what can that mean? Is he asking Ofwat not to be too rigorous in cleaning up our rivers? Something similar has come from Thames Water itself:
The USS JNC met last Friday, but our negotiators were unable to learn much:
We pressed USS on Thames Water on Friday at the JNC including on our views on good governance, ethical investment and nationalisation particularly given that USS had invited the former Thames Water CEO Sarah Bentley as their poster-child for successful investment/intervention to the institutions meeting. We did not make much headway, and due to the concerns about requirements under market abuse regulation etc, they were unable to comment on their position. But we will press again at the next JNC as things unfold.
[report by Deepa Govindarajan Driver]
We may feel fortunate that here in Southampton we are not in Thames Water’s area. Sadly, Macquarie Asset Management, who did much to put Thames Water in its current position, have bought a majority stake in our Southern Water.