About 30,000 customers of Now:Pensions face an anxious Christmas after a serious data breach at the pensions provider led to their sensitive personal details being posted on the internet.
In an email sent to affected customers, the workplace pensions firm warned that names, postal and email addresses, birth dates and National Insurance numbers all appeared in a public forum online.
The company, which manages auto-enrolled and other workplace pensions for 1.8 million workers, said that less than 2% of its customers had been caught up in the incident.
It said the customers’ data had been obtained “by an unknown third party” and blamed the breach, which happened between 11 and 14 December, on an outside contractor. The company had not apologised in any correspondence seen by the Guardian.
Patrick Luthi, the chief executive of Now:Pensions, said: “The data was visible only to users of that forum for a short time and was copied by a small number of unknown parties. We reported this incident to the pensions regulator and the Information Commissioner’s Office.
“Protecting our members’ personal data is of the utmost importance to us and we are taking this matter extremely seriously. We acted as soon as we were made aware of the issue.”
News of the breach will be a considerable source of anxiety to those whose data was breached. The consequences of having personal data stolen can be severe; scammers wanting to defraud people can buy personal information details on the online black market.
Fraudsters have spent much of 2020 making fake universal credit claims in people’s names, using exactly the data stolen in this case.
One of the people affected told the Guardian that he had received a call on Thursday from someone purporting to be from his mobile phone provider warning him of a problem. “It was obviously a scam but it appeared to be based on the fact that my details got into the wrong hands, as they mentioned my National Insurance number. This doesn’t bode well for the future, and I’m not very happy about this, to say the least,” said the man, who lives in London, but asked not to be named.
Now:Pensions said it offered the affected customers a year’s free access to Experian Identity Plus, which provides alerts about potential fraudulent activity in someone’s name. Meanwhile it has warned its customers to be extra vigilant with any emails they receive.
“Don’t give any personal or financial information to anyone or any organisation unless you’re certain they’re genuine,” it advised.