Ritchie Wilson was thrilled to discover in February that he had an extra pension fund worth £40,000 in his Scottish Widows account that he had not previously accounted for.
But when the 52-year-old didn’t recognize the employer he had supposedly earned the pension from, he realized it didn’t belong to him.
After digging into the details, she discovered she had full, unrestricted access to the pension of a stranger – a person who shared her date of birth and last name, but not her first name.
Alarmingly, father-of-two Ritchie feared this meant the stranger could also access his own pension fund, which was much larger, well into six figures.
Anxious Ritchie, from Ayrshire, south-west Scotland, says he emailed and called Scottish Widows repeatedly, but a lack of urgency among call handlers meant that for more than nine weeks nothing was done to restrict his access.
Carelessness: Our investigations have uncovered a shocking pattern of disregard for private customer information at pensions giant Scottish Widows.
Instead, the pension company began sending him emails describing how to access the stranger’s pension and disclosing a range of personal details.
This included her full name, date of birth, national insurance number, Scottish Widows policy and account numbers and home address.
“I was horrified,” says the computer scientist, who knows very well how important data protection is. ‘This is a major data breach. He could have used this information to transfer the other Mr. Wilson’s money to another party.
Fearful that this stranger who shared his last name could in turn access his pension, Ritchie began checking his account several times a day to make sure no money had been taken.
Today, Money Mail reveals that Ritchie is one of many who were caught up in a series of disastrous data breaches at Scottish Widows that exposed customers’ personal data and left their savings at risk.
Our investigations have uncovered a shocking pattern of disregard for private customer information.
In the worst case seen by this newspaper, a reader’s pension was stolen after Scottish Widows sent all the details needed to collect it to a stranger.
Readers tell us they have received letters addressed to someone else that contain a lot of personal information.
In the wrong hands, this is a scammer’s dream and could easily be used to defraud Scottish Widows customers into obtaining loans, credit cards or phone contracts in the victim’s name.
Others say they have discovered their own data has been sent to an unknown address, putting at risk the savings they have entrusted to Scottish widows.
We have submitted some of the most serious cases of clear data protection violations to the company for investigation.
Scottish Widows confirmed all cases had been reported to the regulator and said they were unrelated.
A spokesperson said: “We take our data protection responsibilities seriously and regret that in these individual cases we may have shared some information with the wrong customers in error.”
We are working hard behind the scenes to ensure this does not happen again.” Money Mail has raised the alarm with the City regulator, the Financial Conduct Authority and the Information Commissioner’s Office.
Counterattack: Thousands of concerned customers have joined a Facebook group called Scottish Widows Complaint Platform
The ICO has the power to fine companies found to have breached data protection laws up to 4 per cent of their turnover.
Thousands of people have joined a Facebook group called Scottish Widows Complaint Platform, set up by retired American businessman Mark Radin.
Over the last 18 months, Mark has helped hundreds of frustrated Scottish Widows customers resolve their complaints.
He says he’s seen a dozen recent data breach cases and adds, “It’s amazing.” I hear it all the time: letters are sent to the wrong people.
‘It is incredible that a company that has existed for 220 years can behave in this way. One wonders how many others have had their data shared by mistake.”
Mark spends up to 50 hours a week talking to members. At any given time, he has up to 30 cases going. The Facebook group has more than 1,600 members.
Only after contacting Mark, who lodged a complaint with Scottish Widows on his behalf, were Ritchie’s problems resolved at the end of April.
You can no longer see the other person’s pension and have been assured that your pension is not visible to anyone else. However, she was told that she had access to the stranger’s pension fund from 2022 due to a “technical error”.
“For years, I could have done anything with this stranger’s money,” he says. ‘I have no confidence in Scottish widows. They told me on the phone that my pension was insured, but until they put it in writing I can’t trust that.’
Scottish Widows have offered Ritchie £300 for the suffering caused and £250 costs. His fears that someone could steal her pension are not unfounded.
In one horrifying case, Nicola Davies, from Tamworth, Staffordshire, discovered her Scottish widow’s pension had been taken away by a stranger after her private details were wrongly disclosed.
The 55-year-old mother of two reviewed her workplace pension funds last summer before her birthday, when she could start collecting her pension.
Nicola has worked for the NHS since 2006 and has a previous employment pension saved with Scottish Widows from a previous job.
But when she logged into her account, she realized she had not received an annual pension statement from Scottish Widows since 2015, when the pension was worth £33,310.
She called Scottish Widows and was baffled when customer service told her she had transferred all her money to a financial advice company in 2015.
Savings: A reader’s pension was stolen after Scottish Widows sent all the details needed to collect it to a stranger
Following Money Mail’s involvement in November, Scottish Widows called to tell Nicola that her statement had been sent to the wrong address in 2015 and had gone to another client. Shortly after, her money was withdrawn and invested elsewhere.
“I’m absolutely stunned,” she says. “I hope that the person who lives at that address has access to all my personal data, because it was on the document.”
A spokesperson confirmed that Nicola’s name, date of birth, NI number and policy value were on the document sent to another client.
Scottish Widows has since refunded Nicola the value of her pension if it had remained invested since 2015 and has paid £5,000 in compensation. She transferred the money to another pension provider.
She says: ‘Trust is broken. I couldn’t leave them my money because of what they had done and how they deceived me when I warned them.’ A spokesman said: “We regret that Ms Davies did not receive the service from us that she should have received.”
The series of data breaches discovered by Money Mail is the latest in a long line of errors and shortcomings made by Scottish Widows.
Money Mail has previously exposed how over the past two years thousands of people have been caught in a customer service collapse at the pensions provider.
The chaos has left customers facing hour-long call wait times on hold to Scottish Widows and receiving incorrect information about their pensions, such as incorrect balances and late payments. Many customers complain about the rudeness of the staff and the loss of information on the part of the company.
Money Mail understands that these failures continue.
Founded in 1815, Scottish Widows’ original mission was to care for women and children (who had lost their parents, brothers and husbands) by offering them insurance and pension products.
However, it is now disappointing the widows and widowers in Scotland and the rest of Britain whom it was designed to help. Polly MacIntosh*, from West Sussex, says her late father, a Scottish widower, would have been horrified at how the institution has treated his family since his death.
The musician, 50, who inherited £39,900 in a tie-up with Scottish Widows after his father’s death in August 2022, was caught up in the data breaches.
When a letter never arrived and Polly called Scottish Widows, she was told it had been sent to an address she didn’t recognise. Scottish Widows confirmed that it had been sent in error and that it contained her name and policy number.
With the help of Mark Radin, Polly received her inheritance in November, 15 months after her father’s death.
They offered him £1,050 for his trouble, including £150 for the data breach. He has also been paid £1,744 in late payment interest for the delays.
Paul Davies, 52, also received a letter addressed to another person. The father-of-two from Worcestershire requested a full pension statement to prove he was on track to retire.
A document appeared on Paul’s online account but he discovered it contained details of someone else’s £20,000 pension with his personal information.
“There was so much information that it even included the details of his financial advisor,” he says. When he called Scottish Widows, he says the call operator told him to delete the file and “not to worry.”
She says they assured her that her details had not been shared with anyone else and told her that human error occurred because the other person shared her name. She has since transferred her Scottish Widows pension and was offered £150 in compensation.
An FCA spokesperson said: “We have been engaging with Scottish Widows in response to concerns raised about customer service.
‘We expect companies to resolve any data breaches as a matter of urgency. “We take these matters very seriously.”
An ICO spokesperson said: “People have a right to expect financial institutions to keep their confidential information secure and if anyone has concerns about how their data has been used we encourage them to contact us so we can help.” .
*Name has been changed
Some links in this article may be affiliate links. If you click on them, we may earn a small commission. That helps us fund This Is Money and keep it free to use. We do not write articles to promote products. We do not allow any commercial relationship to affect our editorial independence.
