The laptop theft is believed to have been targeted, and was carried out at The Pensions Trust’s software provider, NorthgateArinso’s offices. NorthgateArinso, a global human resources software and services provider, says the laptop was stored in a locked room and that the machine itself had password protection. The lost data, however, which includes names, addresses, national insurance numbers, and bank details for those already receiving their pension, was not encrypted.
| The schemes affected are: |
|
Lynda Howe, chair of Verify Trustees, said in a Pensions Trust statement: “NorthgateArinso has expressed their regret that this theft has occurred and investigations are ongoing. I can confirm that The Pensions Trust has now withdrawn access to personal member data from NorthgateArinso and have also instructed them to delete any existing personal member data they hold. We are hopeful that this incident will not have any impact on members but, as a precaution, we have arranged for them to be protected by CIFAS [UK’s Fraud Prevention Service] and have set up a members’ helpline.
Texas-based endpoint data protection provider Credant Technologies criticises The Pensions Trust for not protecting its data better.
“The fact that the Trust is a not-for-profit organisation does not mean that it can bypass any of the stringent IT security safeguards or require similar controls to be implemented by its contracting companies”, said Michael Callahan, vice president of Credant.
The laptop and its data were used by NorthgateArinso in its staff training.
“It is to be hoped that the firm will now review its procedures on using live data in training situations, and also start beefing up its IT security procedures, including applying a policy of encrypting all private data, whether at rest or in transit”, Callahan added.
The Pensions Trust says on its website that its most important task is to provide individual members “a high quality service that they can rely on.”
The laptop, which was reported stolen at the end of March, contained details of members belonging to six of The Pensions Trust’s 39 pension schemes. According to a NorthgateArison statement, there is no evidence so far that the data has been used or accessed.