BBC pension scheme data breach exposes more than 25,000 current and former employees

The BBC logo pictured at BBC Broadcasting House on January 17, 2022 in London, England.
(Image credit: Getty Images)

Data belonging to more than 25,000 staff at the BBC has been exposed in a data breach, the broadcaster has revealed. 

The corporation's pension scheme this week wrote to members warning that 25,290 current and former employees had been affected by the breach.

Information exposed in the breach is believed to include names, national insurance numbers, dates of birth, sex, and the home addresses of some pension scheme members.

In a statement given to ITPro, a spokesperson for the pension scheme said the corporation’s information security team is aware of the incident.

The spokesperson noted that “some BBC pension scheme records have been copied from an online data storage service”.

"It is important to stress that this information did not contain any bank details, financial information, telephone numbers, email addresses, username or passwords and did not involve the Pension Scheme website or our member portal,” they added.

The BBC has one of the biggest occupational pension schemes in the UK, with more than 50,000 members. According to the spokesperson, there's no evidence that the affected files have been misused.

"We sincerely apologize to members affected by this and appreciate this will be concerning. We want to reassure members that the BBC has responded quickly and that the source of the incident has been secured.”

BBC security teams are tackling the issue

Specialist internal teams and external partners are working “at pace” to establish how the breach occurred, and will continue to monitor the situation, the spokesperson said. Additional security measures have also been put in place in the wake of the incident. 

The pension scheme has warned members to be on the alert for any unsolicited and unexpected messages asking for personal information or unexpected actions. 

It's also given them two years' free access to the Experian Identity Plus credit and web monitoring service.

The incident has also been reported to the Information Commissioner’s Office (ICO) and the UK’s pensions regulator.

Was the BBC breach a ransomware attack?

While the source of the breach hasn’t yet been revealed, speculation on the incident initially pointed toward a ransomware attack. 

The corporation is a frequent target for cyber criminals. Two years ago, it revealed that it had fended off nearly 50 million cyber attacks in just four months across 2021 and 2022, and that it experienced an average of 383,278 email attacks every day.

Last summer, it was one of several large organizations to fall victim to a breach involving the MOVEit file transfer software, claimed by the ransomware group Clop. Information such as national insurance numbers and company IDs were exposed in the incident.


However, Adam Brown, managing security consultant at Synopsys Software Integrity Group, noted that given the site is now back online, this points to another cause.

"The BBC pension site appears to be up and running at the time of writing, which suggests that this was not a ransomware attack," he said. "It is quite possible that data stored on a connected repository with incorrectly configured security could have leaked."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.