The BBC has launched an investigation after the details of more than 25,000 current and former employees were exposed in a data breach.
The corporation’s pension scheme wrote to members on Wednesday to tell them their data had been stolen in a data security incident it was taking “extremely seriously”.
A spokesman for the pension scheme said the data of around 25,290 people had been affected by the breach.
The BBC said it had seen no evidence that the incident was a ransomware attack, a type of hack commonly used by organized cybercrime groups to steal large amounts of personal data.
The BBC has one of the largest occupational pension schemes in the UK, with more than 50,000 members.
In its email to staff, the corporation did not explain how the breach had occurred, beyond saying that the private records had been “copied from an online data storage service.”
The leaked data includes the members’ name, date of birth and gender, their address, national insurance number and an indication that they are members of the BBC pension scheme.
The corporation said the breach did not include banking details, financial information, phone numbers, email addresses, usernames or passwords, or any sensitive health information.
The incident has been reported to the UK privacy regulator, the Information Commissioner’s Office (ICO) and the Pensions Regulator.
The email from Catherine Claydon, chair of the BBC Pension Trust, said: “We take this incident very seriously and want to reassure you that we and the BBC have taken immediate action to assess and contain the incident.
“Rest assured that we have responded quickly and the source of the incident has been secured.
“We are working at pace with internal and external specialist teams to understand how this happened and take appropriate action.
“As a precautionary measure, we have also implemented additional security measures and continue to monitor the situation.”
The BBC said there was currently no evidence that private information had been misused, but said this was being monitored. He advised members to “be alert to any activity that appears unusual.”
after newsletter promotion
In a statement, a spokesperson for the BBC pension scheme said it “sincerely apologized” to members, adding: “We want to reassure members that the BBC has responded quickly and the source of the incident has been secured.
“We are working at pace with internal and external specialist teams to understand how this happened and monitor the situation.
“As a precautionary measure, additional safety measures have also been implemented.”
Although the nature of the attack is still unclear, it is the second known data breach suffered by the BBC in less than a year.
Last June, the corporation was one of several companies, including British Airways, Boots and Aer Lingus, that were hit by a massive attack believed to have been carried out by an organized Russian-speaking cybercrime group.
An ICO spokesperson said: “BBC Pension Trust has alerted us to an incident and we are assessing the information provided.”
