Cyber Incident Victim: BBC Pension Scheme
Date:
May 2024
Location:
United Kingdom
Summary
Cybercriminals breached a cloud database used by the BBC Pension Scheme, compromising personal data—including names, national insurance numbers, dates of birth, sexes, and home addresses—belonging to over 25,000 current and former employees. The intrusion, detected by internal security teams, did not affect financial information, login credentials, or the pension system's operational integrity; the database was secured post-incident, and impacted individuals were offered two years of Experian credit monitoring. The breach was reported to UK regulators, marking the organization's second significant data theft incident within a year following a prior compromise via the MOVEit vulnerability.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 21, 2024, the BBC detected unauthorized access to a cloud database used by its Pension Scheme administration team, resulting in the theft of personal records belonging to 25,290 current and former employees. The compromised data included names, national insurance numbers, dates of birth, sexes, and home addresses, though no financial information or login credentials were accessed. The BBC's cybersecurity team identified the breach and engaged external specialists to investigate, leading to the immediate lockdown of the affected database. Preliminary findings indicated no evidence of misuse of the stolen data at the time of reporting. All impacted members received email notifications on May 30, 2024, and were offered two years of complimentary credit monitoring—Experian Identity Plus for UK residents and Experian IdentityWorks for overseas members. The BBC Pension Scheme issued a public apology, emphasized enhanced security measures, and directed members to vigilance against suspicious activity while confirming no immediate action was required from them. The incident was reported to the UK Information Commissioner’s Office and the Pensions Regulator.
The breach affected approximately 43% of the BBC Pension Scheme’s 58,787 total members, targeting a database supporting a plan closed to new entrants since 2010 due to financial strain from the 2008 economic crash. This marked the BBC’s second major data theft incident within a year, following the June 2023 compromise of payroll data via the MOVEit Transfer vulnerability exploited by the Cl0p ransomware group. In the prior incident, attackers stole dates of birth, home addresses, national insurance numbers, and staff ID numbers from BBC employees through a breach at payroll provider Zellis. The 2024 pension data theft did not impact the scheme’s operational integrity, member portal, or website. The BBC’s response included forensic analysis, collaboration with cybersecurity experts, and real-time monitoring for potential misuse of the stolen data, though the investigation remained ongoing at the time of disclosure.