Capita - Hacked

BoyJohn811

I have also received an email from USS that pretty much all of my presonal details were stolen by hackers (title, initial(s), and name, your date of birth, your National Insurance number, your USS member number and your retirement date). Unfortunately, these are permanently linked to a specific person, not something we can change like a password. Since digital data can be traded unlimited times, this can get back to me even in 10 years time - none of my personal details can be changed.

I am guessing the danger is not really losing money directly from my bank account (strong password, 2FA, checking accounts regularly, common sense, etc.), rather, it is the fact that a hacker can use my details for any survice they wish to sign up for (e.g., credit application or any other online application that uses identity theft) and I would not even know about it.

I was also offered a complementary 1 years account with Experian. I have never taken any credit in my life (not even credit card) and have very strong online protection (password managers, 2FA, hardware security keys, etc.); however, I cannot change my national insurance number or birthdate.

Would anyone have recommendations on what else I can do to protect myself? Is it possible, for example, to block all new applications (e.g., credit applications) in my name?

corky23

https://www.experian.com/blogs/ask-experian/credit-education/preventing-fraud/security-freeze/   

Boyjohn - you can freeze your credit score - see above. I've been hacked as well so not only will I be doing that but going to a lawyer, as data breaches, which cause distress but no financial loss, still requires a settlement.

I was annoyed when my provider moved the pension administration from an internal group company to Capita, given all the known issues with Capita and knowing that the only reason the move was taking place was "cost cutting." 

OldScientist

BoyJohn811 said:

I have also received an email from USS that pretty much all of my presonal details were stolen by hackers (title, initial(s), and name, your date of birth, your National Insurance number, your USS member number and your retirement date). Unfortunately, these are permanently linked to a specific person, not something we can change like a password. Since digital data can be traded unlimited times, this can get back to me even in 10 years time - none of my personal details can be changed.

I am guessing the danger is not really losing money directly from my bank account (strong password, 2FA, checking accounts regularly, common sense, etc.), rather, it is the fact that a hacker can use my details for any survice they wish to sign up for (e.g., credit application or any other online application that uses identity theft) and I would not even know about it.

I was also offered a complementary 1 years account with Experian. I have never taken any credit in my life (not even credit card) and have very strong online protection (password managers, 2FA, hardware security keys, etc.); however, I cannot change my national insurance number or birthdate.

Would anyone have recommendations on what else I can do to protect myself? Is it possible, for example, to block all new applications (e.g., credit applications) in my name?

In the same worrisome situation (although USS have yet to offer me anything - I guess they have 400k+ emails to send out!). The only thing that could be changed in that list is the USS member number (which would require action by USS, but would protect the pension at least). As you say, it appears that NI numbers can never be changed.

With the information they have stolen, an address can be found easily enough (unless you have a very common name). We're already careful about shredding sensitive paper info, but will continue be vigilant in the physical domain (e.g. someone rummaging through our bins or recycling for documents is not so far fetched).

Does the loss of this data mean that bank accounts can still be opened with a soft check or will full ID be required every time I try to open a new account (although irritating, I hope the latter)?

As you say, this is a 'forever' leak - the list of info will still be circulating and useful for the bad guys until my death (even more useful when I get older and even less compos mentis). A one year subscription to experian (I assume identity plus or creditexpert was offered) is a relatively cheap sop (although I note that it is currently £7 a month for identityplus - anything equivalent and cheaper?).

LHW99

An update, including news of a second data breach at Capita

https://techcrunch.com/2023/05/15/capita-breach-fallout-widens-as-customers-learn-of-data-theft/

It appears M&S and Diageo pension schemes, as well as the USS, AT&T, Royal Mail, Wincanton and Colchester Council schemes (mentioned in the article) plus probably the TPS seem to have been affected

frugalfran

Read about CIFAS as an extra layer of protection, is this perhaps another layer of protection tion?

Umiamz

frugalfran said:

Read about CIFAS as an extra layer of protection, is this perhaps another layer of protection tion?

Everything I’ve read about CIFAS markers is that they can seriously impact your credit rating. I’m not sure whether this includes Protective Registration but it seems like a last resort to me.

TheBanker

Umiamz said:

frugalfran said:

Read about CIFAS as an extra layer of protection, is this perhaps another layer of protection tion?

Everything I’ve read about CIFAS markers is that they can seriously impact your credit rating. I’m not sure whether this includes Protective Registration but it seems like a last resort to me.

Protective Registration doesn't impact your credit eligibility. But it will mean applications take longer to process as human intervention is required. The bank I work for recommend CIFAS Protective Registration if a customer tells us their personal details have been compromised. 

flaneurs_lobster

TheBanker said:

Umiamz said:

frugalfran said:

Read about CIFAS as an extra layer of protection, is this perhaps another layer of protection tion?

Everything I’ve read about CIFAS markers is that they can seriously impact your credit rating. I’m not sure whether this includes Protective Registration but it seems like a last resort to me.

Protective Registration doesn't impact your credit eligibility. But it will mean applications take longer to process as human intervention is required. The bank I work for recommend CIFAS Protective Registration if a customer tells us their personal details have been compromised. 

CIFAS Protective Registration costs £25 for two years.

I'm surprised that CIFAS Protective Registration doesn't seem to be offered by hacked organisations while Identity Protection from the likes of Experian and Kroll often is. Are they doing the same thing? Too expensive?

Wyndham

I'm no longer contributing (or drawing) but have money in USS. My husband is still contributing to the scheme. He has had an email about Experian protection, but I've yet to receive mine - though I can see that they may do the emails in 'batches' and we'd be in different groups.

My problem with the offer of a free Experian account for a year is that I don't think this is enough. What about Equifax or Transunion. We're always told to check all three, not just one.

And, as mentioned above, this is a lifetime hack...

shefmarkh

Wyndham said:

I'm no longer contributing (or drawing) but have money in USS. My husband is still contributing to the scheme. He has had an email about Experian protection, but I've yet to receive mine - though I can see that they may do the emails in 'batches' and we'd be in different groups.

My problem with the offer of a free Experian account for a year is that I don't think this is enough. What about Equifax or Transunion. We're always told to check all three, not just one.

And, as mentioned above, this is a lifetime hack...

I would have thought at a minimum we (I am also affected) should get lifetime subscriptions to all relevant monitoring services. As you say this data will be out there forever and we can't change the NI number etc.

To discourage future leaks the people who caused this should be held personally responsible and pay out compensation - of course this will never happen.