Trustees ‘must be wary of cyber risks’ after BBC breach

The £14.7bn BBC Pension Scheme recently suffered a “data security incident”, according to a statement from the scheme. The breach led to some members’ personal information being copied from “a cloud-based storage service”.

The BBC emphasised that the affected information did not include contact, financial or login data and initial analysis showed “no evidence that the affected files have been misused”.

More than 25,000 members – approximately half of the scheme’s total membership – were affected by the incident, the Guardian reported last week.

Samantha Howell, senior associate at Burges Salmon, and Richard Pettit, partner, said in a blog about the incident: “The Pensions Regulator [TPR] has made it clear in its latest cybersecurity guidance published in December 2023 and in its intervention report on the Capita cyber incident published in February 2024 that prompt communication with members impacted by a cyber incident should be prioritised.

“In the case of this attack, the BBC Pension Scheme certainly appears to have met those TPR expectations, given that it is reported that the scheme was only made aware of the incident on 21 May and a statement and FAQs have already been published on the BBC’s website.”

Lessons from the Capita breach

In a separate update, Howell highlighted that a cyber-attack on a pension scheme or a service provider could have many long-lasting repercussions.

Capita’s pensions administration business suffered a serious cybersecurity breach in March 2023 when customer data was exfiltrated.

Howell recommended that all pension schemes put cyber risk on their risk registers so that they are prepared to act if affected.

“[The Capita] cyber-attack affected thousands of pension holders who had their personal data compromised,” she said. “While many – particularly those pension schemes that were lucky enough not to be impacted – may think of this incident as recent history, for Capita and many of the pension schemes that were impacted the effects of the cyber incident are still being felt more than one year on.

“Trustees should also not underestimate the significant consequences which may follow a cyber incident... Now, more than ever, it is vital that pension schemes and related bodies ensure they have robust cyber policies and practices in place to best protect themselves from cyber threats and attacks.

“The best thing pension scheme trustees can do is prepare, prepare, prepare.”

 It has been estimated that Capita’s costs associated with the incident could be as much as £25m.

On top of this, Barings Law has filed a class action lawsuit against Capita in the High Court on behalf of over 5,000 pension holders, which it has estimated could be worth up to £5m.

Capita has denied that there is any basis for legal action. In a statement quoted in the Telegraph, the company said: “We strongly reject any suggestion that there is any valid basis for bringing a claim against Capita.”

Capita also instructed a third party to carry out a forensic investigation into the incident but has already said there was no evidence of any information emanating from the breach circulating on the dark web.

Howell said Burges Salmon was aware that several pension schemes had been contacted since the completion of the investigation. The Universities Superannuation Scheme is one pension scheme known to have been affected.

Howell added: “In some cases, schemes that were previously affected were contacted to be told that the breach was worse than they had previously been told i.e. additional members or data were impacted.

“Some schemes that were previously told that they had not been affected by the cyber incident were told that they had in fact been victims of the security breach around a year after the original incident.”

Further reading

How can trustees manage cybersecurity risks? (25 March 2024)

The Pensions Regulator reacts as cyber-attacks on the increase (14 December 2023)

Cyber-attack is a risk like any other – so manage it (30 August 2023)