BBC HQ

The BBC has disclosed a data security incident that occurred on May 21, involving unauthorized access to files hosted on a cloud-based service, compromising the personal information of BBC Pension Scheme members.

As per the reports, the incident impacted roughly 25,000 people, including current and former employees of Britain’s national public service broadcaster.

The compromised data includes:

  • Full names
  • National Insurance numbers
  • Dates of birth
  • Sex
  • Home addresses

The announcement published on BBC’s pension website clarifies that the data security incident did not expose people’s telephone numbers, email addresses, bank details, financial information, and ‘myPension Online’ usernames and passwords.

Also, the incident did not impact the operation of the pension scheme portal, which BBC reassures is safe for people to continue using.

Impacted individuals will be contacted via email (sent from “mypension@bbc.co.uk”) or post (if no email address is available), while those not getting a notification should consider themselves not affected.

The UK’s Information Commissioner’s Office (ICO) and the Pensions Regulator have also been notified accordingly.

The BBC apologized to its former and current staff for the incident and stated there is no evidence that the copied data had been misused while advising pension members to remain vigilant.

“Analysis undertaken by our specialist teams currently shows no evidence that the affected files have been misused, and this continues to be monitored,” reads the announcement.

“Whilst there is no specific action affected members need to take, it is always important to be alert to data and cyber security.”

“We encourage members to be cautious of any unsolicited and unexpected communications that ask for your personal information or ask you to take unexpected steps.”

The BBC has also published a FAQ page about the security incident, containing guidance on enabling two-factor authentication and activating a 24-month credit and web monitoring service by Experian.

More information on what those impacted should do due to the incident can be found on this National Cyber Security Center (NCSC) webpage.

The British broadcaster did not share much information about the type of security incident. As of the time of writing this, no ransomware or data extortion groups have assumed responsibility for the attack.