Pensions sector suffers more than one data breach every week

As of April this year, pension schemes and other companies in the sector have recorded 156 breaches since May 2018, when General Data Protection Regulations introduced the obligation to report serious incidents to the Information Commissioner’s Office.

The figures, obtained through a freedom of information request sent by Pensions Expert, also suggest breaches have surged amid Covid-19, with reports of malicious attacks on the sector rising sharply since the start of the year.

The vast amounts of personal data the pensions sector holds about savers — from emails and passwords, to health information and bank details — make it an attractive target for cyber criminals.

While recent years have seen more and more pension schemes and administrators strengthening their protection, there is still a long way to go

Jim Gee, Crowe UK

But experts suggested the extent of the breaches now revealed would be shocking to most in the industry, which in many ways has lagged most of the financial sector on digital security.

The figures from the ICO, the data protection regulator, show 11 breaches reported since May 2018 were caused by fraudulent cyber attacks known as phishing, while three were the result of unauthorised access to personal information. 

Security issues were the cause of 27 data breaches, including an incident at the government’s Pension Protection Fund, which covers payments to more than 230,000 members of insolvent pension schemes. 

The nature of other breaches was undisclosed or attributed to internal errors, such as personal data being emailed to the wrong person.

Some organisations breached multiple times

The PPF has previously revealed that the personal data of “a small percentage of members and a few employees” were "potentially compromised" by a cyber attack discovered in late 2018. An “emergency response team” was subsequently created to ensure the protection of personal information, it said in its most recent annual report.

Since the introduction of the GDPR legislation, organisations must report any breach to the ICO that could risk “people’s rights and freedoms” within 72 hours of becoming aware of the incident. Those people must also be informed if they are likely to be “adversely” affected.

In the lead-up to the legislation being enforced throughout the EU, the Pensions and Lifetime Savings Association warned schemes they could not avoid “the need for [data] protection”. There would be “no phasing-in period and the repercussions for non-compliance can be severe”, it cautioned.

According to the figures obtained by Pensions Expert, 23 organisations in the pensions sector have reported multiple breaches since the GDPR was introduced. 

Prudential Staff Pensions Ltd, the scheme for FTSE 100 investment manager M&G, has suffered six breaches, among them one “security” incident, according to the ICO. FTSE 100 pensions provider Aviva reported four breaches, plus one at its own staff pension fund.

A trustee at Prudential Staff Pensions said “the number of breaches are extremely small compared with the number of transactions undertaken by the scheme each year”, adding that each incident was the result of human error. The trustee “does not recognise [the security incident]”, claiming no such report was made. 

A spokesman for Aviva said approximately 300 people had been affected by the five breaches, which all “related to human error or process error”. The company has since taken on board the ICO’s recommendations, which included additional training for staff, he added.

ICO yet to take further action

Eight organisations have been investigated by the ICO following data breaches, including the UK pension schemes of Carlsberg, pub retailer Greene King, Channel Four and hotel chain Hilton. None of these investigations resulted in further regulatory action.

The trustees of Carlsberg Pension Trustee Ltd said they “take data security very seriously”, and confirmed “a small number of members” had been affected by the reported phishing attack. A spokesperson for Greene King said the breach, which involved the “alteration of personal data”, affected two scheme members.

A spokesperson for Channel Four said its breach, which was also reported to the ICO as an “alteration of personal data” incident, affected one member. Hilton did not provide a response. 

The total number of data breaches in the pensions sector is likely to be even higher than the 156 revealed by Pensions Expert, as the ICO said a number of reports may be filed in the broader “finance, insurance and credit” sectors.

But Jim Gee, head of forensic services at advisory firm Crowe UK, said this figure already exceeds “what most pension organisations assume would be the situation”, adding that the majority would not be aware the sector had suffered one successful cyber attack.

“While recent years have seen more and more pensions schemes and administrators strengthening their protection, there is still a long way to go,” said Mr Gee, who also chairs the Pensions Administration Standards Association’s cyber crime and fraud working group.

Sarah Parkin, a managing associate at Linklaters specialising in pensions law, said: “If we get notified about [data breaches], it is nothing like one a week. [These figures are] slightly surprising to me.

“Pension schemes vary quite a lot in the levels of governance they have in place,” she added, with smaller schemes generally being less well prepared for a data breach.

But even the biggest schemes are susceptible to breaches. Three separate incidents were reported to the ICO by the Northern Ireland Local Government Officers’ Superannuation Committee, Northern Ireland’s public sector pension fund and biggest scheme by assets.

These incidents involved the annual benefit statements of three members being opened after they were sent to homes where they no longer lived, according to NILGOSC chief executive David Murphy. The scheme now posts newsletters in advance of the statements to pick up on any out-of-date addresses, he said.

Covid-19 surge

The figures show reports of breaches, particularly those caused by cyber attacks, have soared amid the coronavirus pandemic.

The ICO recorded 27 incidents in the pensions sector from January to March — more than double the number during the same period in 2019.

Seven of the 11 phishing attacks recorded since the GDPR was introduced two years ago were reported during the first three months of this year, while two of the three unauthorised access incidents were also recorded in this period.

As previously reported by Pensions Expert, cyber criminals are targeting pension funds with unparalleled aggression during the pandemic, as schemes that have long maintained a fondness for face-to-face meetings and paper packs are forced to move online during the lockdown.

“Once the virus took off there has been a massive uptick in cyber crime,” Mr Gee told Pensions Expert in the weeks after the country went into lockdown. “[Criminals] see this as prime time for their cyber criminal businesses.”