Capita confirmed they took extensive steps to recover and secure the data. They are also monitoring the ‘dark web’ and to date have said they can find no evidence that the data is being circulated widely. We have also commissioned our own review of the ‘dark web’, and our third-party investigation company also found no evidence of the exfiltrated files. We did not share any member personal data outside of USS as part of this exercise.
Frequently asked questions
Get answers to the most commonly asked USS member questions.
General
The details, dating from 2021, cover around 470,000 active, deferred and retired members. We understand this data was contained in files generated by Capita from the main Hartlink system, and held separately on Capita services, to facilitate operational processes. Capita have identified from their investigations that personal data was exfiltrated (i.e., accessed and/or copied) by the hackers. The information accessed includes:
- Their title, initial(s), and name; their date of birth; their National Insurance number; their
USS member number and their retirement date
The details, dating from 2021, cover around 470,000 active, deferred and retired members. We have arranged for all current members of the scheme to have access to a leading identidy protection service, free of charge.
We have been engaging closely with Capita since it first announced the cyber incident. Capita first
formally informed USS of a personal data breach on Thursday 11 May 2023.
Within a day of formally being informed, we published an update and an initial set of Q&As (available via the www.uss.co.uk homepage) to address immediate questions - and began to email members to make them aware, to apologise for any distress or inconvenience caused, and to provide ongoing support and advice.
Capita have confirmed that they have taken extensive steps to recover and secure the data as well as monitoring the 'dark web'. We have also commissioned our own review of the 'dark web'.
Members have been given access to a leading identity protection service provided by Experian, free of charge, and we have written to them setting out how that will work.
We would encourage members to only ever give out personal information if they are absolutely sure they know who they are communicating with.
- If you receive a suspicious email, you should forward it to report@phishing.gov.uk
- For text messages and telephone calls, forward the information to 7726 (free of charge).
- For items via post, contact the business concerned.
- If there are any changes to your National Insurance information, HM Revenue & Customs would contact you – but you can also phone them on 0300 200 3500.
If you are concerned someone might be impersonating USS, please let us know by emailing mydata@uss.co.uk.
The National Cyber Security Centre and the Information Commissioner’s Office (ICO) both provide guidance that may also be useful.
We are currently receiving a very high volume of enquiries so we may take longer than usual to respond. We thank you for your patience, as we work our way through each query. Our Frequently Asked Questions are being updated weekly to address member questions, so check back regularly for updates.
Capita have confirmed they have taken extensive steps to recover and secure the data as well as monitoring the 'dark web'.
We want to assure members that data privacy and security is a top priority for us.
Having reviewed our own systems and controls to ensure they remain robust, we are very confident members' pensions remain secure. My USS login information has not been compromised. We have also strengthened our ID and verification processes.
They would not be able to do this, as a person contacting USS to make changes to a pension would
need to know additional information.
Yes, this is a personal data breach and not a breach of My USS login information.
We are confident members’ pensions remain secure. We have reviewed our own systems and
controls to ensure they remain robust. My USS login information has not been compromised.
Yes, we have reported this to ICO and will work with them on any investigation they choose to conduct. This will be an important part of the process in respect of next steps.
Yes.
Yes.
March 2024 update
As your free subscription is due to expire, Experian will email you at the address you provided when you registered for the service. The message will ask you to log in to your Experian account to see an important message.
Once logged in, you’ll be able to access an update that will tell you when your free subscription is due to end. It will also give you the option of continued membership of Experian at the standard rate, with instructions on how to re-register.
Experian will contact USS members between April and October, depending upon when your free subscription began.
No. Capita will not extend this offer beyond the initial 12 months provided to USS members last year.
No. The free subscription to Experian will not extend beyond the initial 12 months provided to USS members last year. We believe this to be a balanced approach, based upon the cost of extending Experian subscriptions for USS members, the risk of malicious use of the data exfiltrated from Capita’s server estate and our ongoing dark web monitoring. We have not taken this decision lightly but we are mindful that the extensive cost of extending subscriptions would be borne by the pension fund and so we have to ensure our response is proportionate.
Other factors we have considered include:
- The USS member data in question.
- The steps that Capita says it has taken to recover and secure the data contained within the part of its server estate impacted by this incident.
- The dark web searches undertaken by both USS and Capita, which have found no evidence of USS member data being circulated. USS will continue to carry out these searches throughout 2024.
- Our review of USS systems and controls, which we are confident remain robust.
While we understand the distress that any data breach can cause, the USS data that Capita has advised was potentially compromised in last year’s breach does not include information that could be used directly for phishing and/or fraud – data such as email addresses, postal addresses, banking details, payslips or passwords.
The data in question includes the title, initial(s), name, date of birth, National Insurance number and member number of around 470,000 USS members dating back to February 2021. (Note that anyone who joined USS after this date would not have been affected.) Login information for the My USS member portal has not been compromised.
We are confident that members’ pensions remain secure, and we strengthened our ID and verification processes at the outset of this incident. We have taken the view that the proportionate response, as things stand, is to continue monitoring the Dark Web rather than use scheme funds, which pay members’ pensions, to extend members’ access to Experian’s services, but we will continue to keep this position under review.