Cybercriminals raid BBC pension database, steal records of over 25,000 people

This just in: We lost your personal info, but here's 2 years' worth of Experian

The BBC has emailed more than 25,000 current and former employees on one of its pension schemes after an unauthorized party broke into a database and stole their personal data.

Names, national insurance numbers, dates of birth, sexes, and home addresses were included in the data that was exposed via a cloud database used by the BBC Pension Scheme's admin team, it told El Reg.

No financial information or login credentials were compromised, and the incident didn't affect the integrity of the scheme itself, its website, or the portal used by scheme members to manage their investments.

The incident was detected on May 21 by the BBC's infosec team, who brought in outside experts to help dig into the case. Results of the investigation, which is still ongoing, indicate that the stolen data hasn't been misused at present, and the database has now been locked down.

Every one of the circa 25,290 scheme members affected has been offered two years' worth of credit monitoring – Experian Identity Plus for UK residents and Experian IdentityWorks for those who absconded to enjoy retirement abroad. But that still hasn't appeased members who wrote to Vulture Central, who were quite clearly ticked off at the email notification they received on Wednesday evening.

A BBC Pension Scheme spokesperson said in a statement: "We sincerely apologize to members affected by this and appreciate this will be concerning. We want to reassure members that the BBC has responded quickly and that the source of the incident has been secured. We are working at pace with specialist teams internally and externally to understand how this happened and to monitor the situation. As a precaution, additional security measures have also been put in place.

"Whilst there is no action members need to take, it is important to be vigilant for any activity that seems unusual. We have written/are writing to members affected informing them of the incident, along with advice and support through our website and pension service line. We are also offering Scheme members affected free access to the Experian Identity Plus credit and web monitoring service, as an additional layer of security should they wish to use it.

"The incident has been reported to the Information Commissioner's Office and the Pensions Regulator."

The BBC Pension Scheme stopped accepting new members in 2010 and according to its 2023 accounts [PDF], there are currently 58,787 members on the scheme, meaning just under half were impacted by the data theft. 

The scheme was closed due to financial difficulties it owed to the 2008 crash, the Beeb's then-CFO Zarin Patel explained in a blog post. The value of the fund tumbled and as a result, the broadcaster made controversial changes that essentially reduced the payout for members.

Its generous public sector pension was considered a decent tradeoff for a BBC salary that wasn't as competitive as rival commercial broadcasters. Commenters under Patel's blog post said they felt "sick" after learning of the changes.

Members who joined the BBC after December 10, 2010, were enrolled in its "LifePlan" defined contribution plan.

This week's incident is also the second major data theft incident at the Beeb in the space of a year. The broadcaster was one of the earliest major organizations to have been affected by Cl0p's mega-raid on unpatched MOVEit MFT users last year.

At the time, the MOVEit document-transfer tool was used by payroll services provider Zellis, which was hit in the attacks alongside British Airways, Aer Lingus and high street cosmetics retailer Boots when miscreants exploited a critical vulnerability in deployments of the Progress Software app. Companies including the BBC, British Airways and Boots told staff at the time that their sensitive payroll data was stolen.

The BBC said dates of birth, home addresses, national insurance numbers, and staff ID numbers were among the data types stolen in that break-in.

Security biz Emsisoft, which has been tracking MOVEit victims since May 2023, currently pegs the number of orgs whose data has been stolen using the flaw globally to be 2,773, affecting more than 95 million individuals. ®

More about


Send us news

Other stories you might like