UK firm NOW: Pensions tells some customers a 'service partner' leaked their data all over 'public software forum'

Compromised info include names, email addresses, DoBs, and National Insurance numbers


Updated Workplace pension provider NOW: Pensions has emailed a number of UK customers to warn about a data leakage caused by contractor error.

The email, seen by this publication, claims a service provider "unintentionally" posted user data to an unnamed "public software forum". These records include biographical data (names, email addresses, and dates of birth) as well as National Insurance numbers. According to the pension provider, the data was obtained by "a small number" of third parties.

NOW: Pensions said the records were only visible for "a short time". This apparently means three days, with the company saying the data was exposed between 11 and 14 December.

From the warning issued to customers, it's hard to grasp the scale of the problem. NOW: Pensions did not disclose how many records were exposed, nor how many third parties copied the leaked data. We asked NOW: Pensions, as well as its PR agency, for comment via phone call and email. At the time of publication, we had not heard back.

As expected, the company has entered damage control, with customers offered 12 months of free Experian Identity Plus (a subscription service that offers credit and darkweb monitoring services) to assuage them of their worries. It also promised to review staff training, and said the individuals responsible for the snafu no longer have access to user data – although the company did not go into any detail about whether they're working with or for the company.

Both the Information Commissioner's Office (ICO) and The Pensions Regulator have been informed. An ICO spokesperson told The Register: "NOW: Pensions Limited have reported a breach to us and we will be assessing the information provided."

In the email issued to customers, NOW: Pensions admitted improper use of customer data is a possibility, describing it as "the worst case scenario". Downplaying the issue, it said there's "no evidence to suggest this has happened or will happen".

"There's no evidence which indicates that your data is being used by unauthorised parties, or that the unknown parties who had access to your data have any malicious intent," it added.

This feels a little premature. Given the issue was still active less than two weeks ago, according to NOW: Pension's own disclosure, it's hard to determine the where these leaked records will end up, or how they'll be used. The intimate nature of the data means it is entirely plausible they could form the basis of targeted phishing efforts.

NOW: Pensions was formed in 2011 and is the third-largest master trust in the UK. It has faced various IT woes throughout its existence, which earned it unwelcome attention from regulators.

In 2018, The Pensions Regulator issued the firm a £50,000 fine for failing to ensure all employee and employer contributions were promptly collected and invested. The same year, it was hit with a further £20,000 for failing to report late or missing contributions to members.

In 2019, a Parliamentary inquiry into workplace pensions saw NOW: Pensions interrogated by MPs over investment performance concerns, with the firm forced to explain why its returns were three times lower than those of its main competitors.

Updated on 22 December at 16.47GMT to add:

Following publication of this article, Now: Pensions contacted us to clarify that fewer than 2 per cent of its customers were affected, and it has sent emails or letters informing them of the leak.

This article has been corrected from the version first published which incorrectly stated that 1.7 million members have been contacted. ®

Similar topics

Broader topics


Other stories you might like

  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • India gives local techies 60 days to hit 6-hour deadline for infosec incident reporting
    Customer data collection and retention requirements also increased, including for crypto operators

    India's Computer Emergency Response Team (CERT-In) has given many of the nation's IT shops a big job that needs to be done in a hurry: complying with a new set of rules that require organizations to report 20 different types of infosec incidents within six hours of detection, be they a ransomware attack or mere compromise of a social media account.

    The national infosec agency stated the short deadline is needed as it has identified "certain gaps causing hindrance in incident analysis."

    Organizations can use email, phone, or fax to send incident reports. Just how the analog mediums will improve improve analysis gaps is uncertain.

    Continue reading
  • Coca-Cola probes pro-Kremlin gang's claims of 161GB data theft
    Life tastes not so good right now

    Coca-Cola confirmed it's probing a possible network intrusion after the Stormous cybercrime gang claimed it stole 161GB of data from the beverage giant.

    "We are aware of this matter and are investigating to determine the validity of the claim," Coca-Cola communications global vice president Scott Leith told The Register on Tuesday. "We are coordinating with law enforcement."

    The ransomware gang, which has declared its support for the Russian government's illegal invasion of Ukraine, this week bragged it "hacked some of the company's servers and passed a large amount of data inside them without their knowledge." It's now trying to sell the stolen data for about $64,000, or nearest offer "depending on the amount of data you want," Stormous wrote on its website where it leaks pilfered information.

    Continue reading
  • Intuit sued over alleged cryptocurrency thefts via Mailchimp intrusion
    Financial software giant slammed for 'poor security practices'

    Intuit is being sued in the US after a security failure at its Mailchimp email marketing business allegedly led to the theft of cryptocurrency from one or more digital wallets.

    In a proposed class-action lawsuit [PDF] filed in federal court in northern California on Friday, the plaintiff – Alan Levinson of Illinois – claimed he and potentially others fell victim to a sophisticated phishing attack in which their Trezor cryptocurrency wallets were unlawfully accessed and funds siphoned.

    Someone earlier stole from Mailchimp details of Trezor's mailing-list subscribers, and used this information to reach out to those users with an email engineered to trick them into installing malware designed to hijack their digital wallets. Levinson said he believes millions of dollars in crypto-coins were stolen in this attack, including $87,000 from his own wallet.

    Continue reading
  • So, what happened with GitHub, Heroku, and those raided private repos?
    Who knew what when and what did they do?

    Analysis GitHub says it has identified and alerted developers who have had their private repositories accessed and downloaded via stolen authentication tokens.

    In this multifaceted fiasco, Microsoft-owned GitHub insisted its security was not breached. Instead, we're told, "compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps."

    Salesforce-owned Heroku confirmed someone compromised an OAuth token – presumably an internal staffer's token – to get into Heroku's GitHub account and rifle through, and potentially update, users' GitHub repositories "using OAuth tokens issued to Heroku’s OAuth integration dashboard hosted on GitHub."

    Continue reading

Biting the hand that feeds IT © 1998–2022