14 DAY TRIAL // A laptop containing the personal and banking details of 109,000 members of six of the Pensions Trust's 39 schemes was stolen from the offices of NorthgateArinso, a company contracted to develop pension administration software. The computer was password-protected, but the data itself was not encrypted.
The Pensions Trust has sent out notification letters to all those affected and has signed them up with CIFAS, UK's Fraud Prevention Service, which works similar to the free fraud alerts placed with the credit reporting bureaus in US, as it requires all financial institutions to perform additional transaction validations and checks for applications in the name of the individuals signed up with it.
NorthgateArinso noted that the laptop was stolen from "secure computer room" at its Marlow offices and that it was used for "database for development, training and performance testing." The data stored on the computer contained names, addresses, dates of birth, National Insurance numbers, name of employers, salary details, information on nominees and bank accounts.
"Why on earth was there any need to use live data for testing and training purposes in the first place?" asks Graham Cluley, senior technology consultant at Sophos. "If a large amount of data needed to be used for testing purposes or statistical analysis then it should have been sanitised beforehand, by wiping out identifying information," he explains.
And if live data was used, why wasn't it encrypted? Password protecting operating systems is not that hard to overcome; in fact many security professionals would argue that it's fairly easy to bypass. The incident has prompted the Pensions Trust to take action against the contractor. "The Pensions Trust has now withdrawn access to personal member data from NorthgateArinso and have also instructed them to delete any existing personal member data they hold," commented spokeswoman Lynda Howe, according to the BBC.
In an official statement regarding the theft, posted on the NorthgateArinso website, the company notes that "The view of the police is that this was an opportunistic theft and there is no evidence that any of the data on the laptop has been used or accessed." Unfortunately, that offers little to no comfort to the people whose privacy has been severely compromised as a result.
A similar data leak involving pension information occurred back in October 2008, when a laptop belonging to financial consulting firm Deloitte was stolen. The computer contained personal and pension information of over 150,000 UK railway workers and employees of other Deloitte clients.