Capita confirmed they took extensive steps to recover and secure the data. They are also monitoring the ‘dark web’ and to date have said they can find no evidence that the data is being circulated widely. We have also commissioned our own review of the ‘dark web’, and our third-party investigation company also found no evidence of the exfiltrated files. We did not share any member personal data outside of USS as part of this exercise.
Questions and answers
Get answers to any questions you might have about the hack and our response.
General
The details, dating from 2021, cover around 470,000 active, deferred and retired members. We understand this data was contained in files generated by Capita from the main Hartlink system, and held separately on Capita services, to facilitate operational processes. Capita have identified from their investigations that personal data was exfiltrated (i.e., accessed and/or copied) by the hackers. The information accessed includes:
- Their title, initial(s), and name; their date of birth; their National Insurance number; their
USS member number and their retirement date
The details, dating from 2021, cover around 470,000 active, deferred and retired members. We have arranged for all current members of the scheme to have access to a leading identidy protection service, free of charge.
We have been engaging closely with Capita since it first announced the cyber incident. Capita first
formally informed USS of a personal data breach on Thursday 11 May 2023.
Within a day of formally being informed, we published an update and an initial set of Q&As (available via the www.uss.co.uk homepage) to address immediate questions - and began to email members to make them aware, to apologise for any distress or inconvenience caused, and to provide ongoing support and advice.
Capita have confirmed that they have taken extensive steps to recover and secure the data as well as monitoring the 'dark web'. We have also commissioned our own review of the 'dark web'.
Members have been given access to a leading identity protection service provided by Experian, free of charge, and we have written to them setting out how that will work.
We would encourage members to only ever give out personal information if they are absolutely sure they know who they are communicating with.
- If you receive a suspicious email, you should forward it to report@phishing.gov.uk
- For text messages and telephone calls, forward the information to 7726 (free of charge).
- For items via post, contact the business concerned.
- If there are any changes to your National Insurance information, HM Revenue & Customs would contact you – but you can also phone them on 0300 200 3500.
If you are concerned someone might be impersonating USS, please let us know by emailing mydata@uss.co.uk.
The National Cyber Security Centre and the Information Commissioner’s Office (ICO) both provide guidance that may also be useful.
We are currently receiving a very high volume of enquiries so we may take longer than usual to respond. We thank you for your patience, as we work our way through each query. Our Frequently Asked Questions are being updated weekly to address member questions, so check back regularly for updates.
Capita have confirmed they have taken extensive steps to recover and secure the data as well as monitoring the 'dark web'.
We want to assure members that data privacy and security is a top priority for us.
Having reviewed our own systems and controls to ensure they remain robust, we are very confident members' pensions remain secure. My USS login information has not been compromised. We have also strengthened our ID and verification processes.
They would not be able to do this, as a person contacting USS to make changes to a pension would
need to know additional information.
Yes, this is a personal data breach and not a breach of My USS login information.
We are confident members’ pensions remain secure. We have reviewed our own systems and
controls to ensure they remain robust. My USS login information has not been compromised.
Yes, we have reported this to ICO and will work with them on any investigation they choose to conduct. This will be an important part of the process in respect of next steps.
Yes.
Yes.
Experian service-specific
Please check the email address carefully. Our emails to members come from members@news.uss.co.uk.
If you are concerned someone might be impersonating USS, please let us know by emailing mydata@uss.co.uk.
We have sent Experian activation codes to all members. All members with a valid email address will have recieved their code via email. Members we don't have a valid email address for will have recieved a code by letter.
The Experian activation codes expired at the end of August. If you activated your code before this date, you will have access to the Experian service for 12 months.
Please contact Experian’s Customer Support Centre on 020 8090 3696. They are open Monday to
Friday, 8am to 6pm. (Charges for calling 02 numbers are the same as calls made to a standard UK
landline.)
Please keep trying – a number of other companies have been affected by Capita’s data breach and
have offered this service so their contact centre is likely to be experiencing high volumes of calls.
You may need to provide Experian with some personal details in the sign-up process so that Experian
can match them with your credit record for identification purposes and set up your monitoring.
If you choose to use the service, you will need to provide Experian with some personal details in the
sign-up process so that Experian can match them with your credit record for identification purposes
and set up your monitoring. You should review Experian's terms and conditions to make sure you are
comfortable sharing the information requested.
A feature of Experian Identity Plus lets you know when your credit file is searched. A credit check or a credit search happens when a company wants to access your credit report to understand your financial behaviour. It shows how you’ve managed your money in the past and is often carried out by lenders, such as banks and building societies, potential employers, letting agencies, insurance companies (often happens if you’ve used comparison sites) and utility companies.
There are two types of credit checks: soft and hard.
- A soft credit check is an initial look at certain information on your credit report. Companies perform soft searches to decide how successful your application would be without conducting a full examination of your credit history.
- A hard credit check happens when a company makes a complete search of your credit report. Each hard check is recorded on your report, so any company searching it will be able to see that you’ve applied for credit.
If you notice that you have had your credit file search, this does not mean your data has been compromised. Credit checks are a common legitimate practise. However, a large number of hard credit checks over a short period of time could affect your credit score. It’s also important not to ignore any credit file searches that have been undertaken by companies that you haven’t been engaging with or that you don’t recognise. To find out more about credit searches, and how to avoid hard credit checks, visit: https://experian.co.uk/consumer/guides/searches-and-credit-checks.html
Experian is one of the three main consumer credit reference agencies. They hold information
relating to your credit, service and utility accounts.
You will be guided through the process of setting up the Experian Identity Plus services after following the link in the email. If you require additional support, please can the Experian Identity Plus product helpdesk on 020 8090 3696. They are open Monday to Friday, 8am to 6pm.
(Charges for calling 02 numbers are the same as calls made to a standard UK landline.)
Capita have confirmed that they have taken extensive steps to recover and secure the data as well as monitoring the 'dark web'. We have also commissioned our own review of the 'dark web'.
Having reviewed our own systems and controls to ensure they remain robust, we are very confident members' pensions remain secure. My USS login information has not been compromised. We have also strengthened our ID and verification processes.
But we only have oversight of members' USS accounts. The monitoring service provides far more comprehensive protection for members across services and accounts members may use, but over which we do not (and would not) have any oversight. This service also requires explicit consent to set up and provides direct alerts to members, we therefore cannot set up this service on behalf of members.
We have not given Experian any of your information. Should you choose to use the voucher, Experian will be responsible for handling your personal data and you will need to agree to their terms and conditions to this end. Your voucher code lets you sign up for the Experian service free of charge. You will need to provide some personal details in the sign-up process so that Experian can match them with your credit record for identification purposes and set up your monitoring. You may then also choose to ask Experian to monitor the web (including the dark web) for certain personal details provided by you.
The ID protection service will monitor activity based on the information you give to Experian. If you
think there has been any suspicious activity on accounts in your name, or anything in your credit
record you don’t recognise, contact the organisation concerned as soon as possible.
Providing the Experian service, free of charge and at no cost to USS, has helped members to take immediate steps to protect themselves from the potential impact of Capita’s data breach while investigations into the incident continue.
We will, however, keep this under review – in line with any investigations the Information Commissioner’s Office feels necessary to pursue in order to inform its view on what appropriate action should follow. This will ensure that any decisions USS takes in relation to supporting its members remain proportionate and appropriate. When we have greater clarity on these issues, we will pursue whatever avenues might be available in the best interests of all our members.
No. There is no cost to USS members or the scheme. The service is being provided on a complimentary basis by Capita.
The ID protection service will monitor activity based on the information you give to Experian. If you
think there has been any suspicious activity on accounts in your name, or anything in your credit
record you don’t recognise, contact the organisation concerned as soon as possible.
This is something for you to consider, but we would suggest it is only necessary if you think there has
been any suspicious activity on your account.
Yes. If you’re registered at a UK address, Identity Plus is the correct product for you even if you currently live overseas.
However, if you are registered as living at an address overseas and do not have a UK address, please contact us at mydata@uss.co.uk and we will arrange for you to receive a code for a non-UK product. Please note, we are receiving a high volume of enquires so we may take longer than usual to respond to you.