Leaked data includes the name, date of birth and sex of members, their home address and national insurance number.
The BBC is investigating the data breach of more than 25,000 current and former employees.
According to The Guardian, the BBC’s pension scheme wrote to members yesterday to say their details had been stolen in a data security incident that it was taking “extremely seriously.” The email did not explain how the breach had happened, but that private records had been “copied from an online data storage service.”
Breached Records
The data leaked includes the name, date of birth and sex of members, their home address, national insurance number and an indication that they are a member of the BBC pension scheme. However no financial information, telephone numbers, email addresses, usernames or passwords, or any sensitive health information was breached.
Catherine Claydon, chair of the BBC Pension Trust reassured recipients that they are taking the incident “extremely seriously” and the BBC took immediate steps to assess and contain the incident.
“We are working at pace with specialist teams internally and externally to understand how this happened and take appropriate action,” she said. “As a precaution, we have also put in place additional security measures and continue to monitor the situation.”
Adam Brown, managing security consultant at the Synopsys Software Integrity Group, called this “a big breach”, not just in the size of 25,000 records (half of the beneficiaries) but in terms of the sensitivity of the type of data exposed, which includes regular beneficiaries and, one would assume, public figures' personal information, too.
“The BBC pension site appears to be up and running at the time of writing, which suggests that this was not a ransomware attack. It is quite possible that data stored on a connected repository with incorrectly configured security could have leaked,” he said..
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
