UK firm NOW: Pensions tells some customers a 'service partner' leaked their data all over 'public software forum'

Compromised info include names, email addresses, DoBs, and National Insurance numbers

Updated Workplace pension provider NOW: Pensions has emailed a number of UK customers to warn about a data leakage caused by contractor error.

The email, seen by this publication, claims a service provider "unintentionally" posted user data to an unnamed "public software forum". These records include biographical data (names, email addresses, and dates of birth) as well as National Insurance numbers. According to the pension provider, the data was obtained by "a small number" of third parties.

NOW: Pensions said the records were only visible for "a short time". This apparently means three days, with the company saying the data was exposed between 11 and 14 December.

From the warning issued to customers, it's hard to grasp the scale of the problem. NOW: Pensions did not disclose how many records were exposed, nor how many third parties copied the leaked data. We asked NOW: Pensions, as well as its PR agency, for comment via phone call and email. At the time of publication, we had not heard back.

As expected, the company has entered damage control, with customers offered 12 months of free Experian Identity Plus (a subscription service that offers credit and darkweb monitoring services) to assuage them of their worries. It also promised to review staff training, and said the individuals responsible for the snafu no longer have access to user data – although the company did not go into any detail about whether they're working with or for the company.

Both the Information Commissioner's Office (ICO) and The Pensions Regulator have been informed. An ICO spokesperson told The Register: "NOW: Pensions Limited have reported a breach to us and we will be assessing the information provided."

In the email issued to customers, NOW: Pensions admitted improper use of customer data is a possibility, describing it as "the worst case scenario". Downplaying the issue, it said there's "no evidence to suggest this has happened or will happen".

"There's no evidence which indicates that your data is being used by unauthorised parties, or that the unknown parties who had access to your data have any malicious intent," it added.

This feels a little premature. Given the issue was still active less than two weeks ago, according to NOW: Pension's own disclosure, it's hard to determine the where these leaked records will end up, or how they'll be used. The intimate nature of the data means it is entirely plausible they could form the basis of targeted phishing efforts.

NOW: Pensions was formed in 2011 and is the third-largest master trust in the UK. It has faced various IT woes throughout its existence, which earned it unwelcome attention from regulators.

In 2018, The Pensions Regulator issued the firm a £50,000 fine for failing to ensure all employee and employer contributions were promptly collected and invested. The same year, it was hit with a further £20,000 for failing to report late or missing contributions to members.

In 2019, a Parliamentary inquiry into workplace pensions saw NOW: Pensions interrogated by MPs over investment performance concerns, with the firm forced to explain why its returns were three times lower than those of its main competitors.

Updated on 22 December at 16.47GMT to add:

Following publication of this article, Now: Pensions contacted us to clarify that fewer than 2 per cent of its customers were affected, and it has sent emails or letters informing them of the leak.

This article has been corrected from the version first published which incorrectly stated that 1.7 million members have been contacted. ®

Similar topics

Broader topics

Other stories you might like

  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains.

    Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading

Biting the hand that feeds IT © 1998–2022