25 May 2023
In the News: Data Breach affecting the Universities Superannuation Scheme (USS)
What has happened?
Capita (a sub-contractor for many public sector organisations) recently reported a cyber incident involving hackers targeting some of its computer servers. In mid-May it was confirmed that USS members data was held on the affected servers.
This affects around 470,000 active, deferred and retired members, and includes the following personal data:
- Title, initial(s), and name; date of birth; National Insurance number; USS member number, retirement dates.
What does my organisation need to do?
If your organisation uses the Universities Superannuation Scheme you should review your latest contract. A data sharing agreement/contract should set out each organisation’s responsibilities under data protection law and discuss the steps that will be taken in the event of a data breach and set out each party’s liabilities (such as legal or regulatory action).
USS should contact affected members and organisations with an update. As a separate data controller, it is unlikely your organisation would be subject to direct legal action in relation to this data breach. USS will likely have reported this breach to the ICO who will investigate and determine if any regulatory action (such as a fine) will be taken.
If your organisation uses USS, you could consider what duty of care, they have to notify staff of this breach (even though it has been caused by a separate data controller), here is an example of good practice: USS/ Capita data breach: information for staff – University of York or UCL response-potential-data-breach
What if I am personally affected?
You should receive updates from USS and can review their website for updates.
You should be on guard for suspected phishing emails. The purpose of a scam email is often to get you to click a link. This will take you to a website which might download a virus to your computer or steal passwords or other personal information. This is sometimes known as ‘phishing’.
The National Cyber Security Centre has detailed guidance (link) on how to look out for and report these scams.
If a message or call makes you suspicious, stop, break the contact, and consider the language it uses. Scams often feature one or more of these tell-tale signs:
- Current events
What lessons can be learned from this?
Organisations must ensure that data they hold is protected by adequate security, this includes ensuring that data processors (organisations hosting personal data on your behalf) have appropriate measures in place.
Your organisation should:
- Know your data controllers and data processors and what data they hold, usually through your records of processing (ROPA),
- Have agreements in place when sharing with another data controller,
- Have a contract with any data processors which includes data protection terms, especially around security and reporting/handing data breaches,
- Conduct appropriate due diligence on data processors such as ensuring they have certifications such as ISO27001 and/or Cyber Essentials
- Discuss with your IT department/provider what security has been applied in your own organisation, using these 10-steps to cyber security.
- Ensure Board Level engagement on data protection and cyber security using the Board Cyber Security Toolkit,
- Ensure your own staff have a good level of security awareness. The National Cyber Security Centre has provided e-learning training available here: Top tips for staff.
- Have a Breach Response Procedure which sets out what actions to take in the event of a data breach.
Written by: Jess Pembroke – Head of Data Protection
Naomi Korn Associates offer a range of data protection services to help organisations with their data protection responsibilities so that it is managed legally, safely and strategically. We also provide downloadable resources, operational tools and templates, jargon-free advice, practical training and mentoring to ensure organisations comply with data protection on a day-to-day basis. For more information contact email@example.com.