Cyber Incident Victim: Now:Pensions

The Now:Pensions data breach exposed personal information of approximately 30,000 UK pension plan participants shortly before Christmas 2020. Hackers accessed and publicly posted sensitive customer data including full names, postal addresses, email addresses, dates of birth, and national identification numbers equivalent to Social Security numbers. The workplace pension administrator confirmed unauthorized access to its systems through a third-party service provider that handled aspects of its operations. While the exact intrusion timeline wasn't disclosed, the breach notification occurred immediately before the holiday period when affected individuals were preparing for celebrations. No information was provided regarding how the breach was detected, whether ransomware was involved, or if data encryption measures failed. Now:Pensions did not identify the compromised third-party vendor or specify whether multiple service providers were involved in the incident.

The company publicly attributed responsibility for the security failure to its unnamed third-party provider while acknowledging its role as data controller. Exposed records contained sufficient information to facilitate identity theft and financial fraud against pension holders. Now:Pensions did not disclose whether the breached data involved active accounts, former members, or both. Legal commentary noted that under ERISA regulations governing employee benefit plans, selecting and monitoring service providers constitutes a fiduciary duty requiring cybersecurity assessments. No details were provided about containment measures, forensic investigations, law enforcement involvement, or credit monitoring offers to victims. The incident highlighted systemic risks when pension administrators rely on external vendors without publicly verifiable security audits or breach response protocols.