USS data breach

Capita first became aware of a data breach on 31st March; it seems that a well-known Russian ransomware team had been manipulating their systems, and their customers’ data, since at least 22nd March.

Capita first announced the breach on 3rd April, saying: The issue was limited to parts of the Capita network and there is no evidence of customer, supplier or colleague data having been compromised.

On 11th May, however, they told USS that details of their members were held on the Capita servers accessed by the hackers. The information potentially accessed was claimed to include: title, initial(s), and name; date of birth; National Insurance number; USS member number; and retirement date.

Capita have a terrible track record, search Google for breaches and other performance issues; here in the UK they run armed forces recruitment and TV licensing.

There are typically three things that “hackers” may try to do with your personal data.

  1. If they get passwords, they will immediately try using them to access popular financial  or payment sites such as Amazon or major banks, using related names and similar passwords. That should not be a problem for the USS data; Capita/USS say that login details were not taken.
  2. They might try to impersonate you, to claim tax refunds and government subsidies, to get control of your property, or to take out loans in your name. For some of these attacks, date of birth and NI number are potentially useful.
  3. They will use the information to make “phishing” emails, texts, or phone calls seem more plausible, and to “sucker” you into giving away more information or authorising payments and account changes. Again, NI number and date of birth are useful.

Today (25th May), more than two months after the “hack”, I was told by USS that my data was amongst that which had been stolen. My best guess is that this has happened to all USS members current in 2021; they are just staggering telling us about it. The mitigation offered by USS is to give  free access to a 12-month membership in Identity Plus, a monitoring service provided by Experian—one of the UK’s leading Credit Reference agencies. That seems a very mean offer, and I guess it isn’t costing USS much; initial free or cheap trial periods are common when companies want to “suck you in” for the long term; Experian currently offer one free month free to anybody who asks. If it were a good offer, I think three years would  be a reasonable minimum free period.

Personally (and for my sins I am a co-lead of outreach at our NCSC (part of GCHQ) Gold Academic Centre of Excellence in Cyber Security Education) I would turn down the Experian offer as I think it is likely to expose more of your personal data to attack; Experian themselves do not have a good track record in protecting personal data:

So what should we do? Three things:

  1. Be aware that somebody who contacts you knowing your NI, DoB or retirement date is a likely fraudster. Don’t engage with them, and certainly don’t tell them anything. These people are likely to claim to be from USS, Experian, or the “pensions department”.
  2. Protect yourself against identity theft. For example, think about putting a “restriction” at the Land Registry on any property you own, to make it harder for a fraudster to transfer title.
  3. Treat this as a “wake up call” to adopt better personal cybersecurity practices. Sadly, the advice in today’s USS email
          Use strong passwords and change them regularly. Try to keep them at least
    eight characters long and use numbers, upper case, lower case and symbols.

    is not regarded as current best practice; you should instead read, and act on, the NCSC infographics. This is the one on passwords:
    and here are the rest:

After I’d dealt with all that, I’d write a “stiff” letter to USS, asking them to justify their use of Capita, a known poor performer, and asking them to pay the £40 land registry fee.