UMSS | Cyber security incident

Recent cyber attack at The University of Manchester in June 2023

We regret to inform you that a third party recently gained unauthorised access to our University's system, resulting in the compromise (accessing and copying) of some personal data. We want to assure you that the majority of our members are not affected and our administration processes, including pension payments, will continue without interruption.

The compromised system is connected to the Pensions Office, which plays a crucial role in administration. While the breach is concerning, we want to emphasise that the impact has been contained and measures are already in place to prevent future occurrences. Our team has been working diligently to rectify the situation and reinforce the security of our system.

In light of this incident, we are taking steps to mitigate potential risks for our members by offering a complimentary Experian Identity Plus membership. For more information, and to find answers to frequently asked questions, please refer to the official letter we sent to you in early September 2023.

We would like to remind you to remain vigilant and exercise extra caution. Cyber security is a shared responsibility, and your proactive approach to online safety can significantly contribute to the overall security of your personal data.

If you have any queries or concerns related to this incident, we encourage you to reach out to our Information Assurance team.

Additionally, if you have non-cyber related messages for the Pensions Office, they are available and ready to assist you.

While this incident is regrettable, we want to reassure you that the security and integrity of your data is our utmost priority. We will continue to take all necessary steps to strengthen our system and maintain the trust you have placed in us.

We appreciate your support and understanding, but above all, on behalf of the Trustee and University, we are deeply sorry that this situation has arisen.

FAQs

Was my data impacted?

As part of the forensic investigation we have identified a small number of files which were taken which impacted some members. We have sent a letter to all members to confirm if they were affected.

There is no evidence that that this was targeted and the system the Trustee uses to administer your pensions is completely separate and has not been compromised. The Trustee and University will continue to remain vigilant and should anything further come to light, will be in touch with you. Otherwise, an update will be provided in the Scheme Newsletter later this year.

Is there anything I should do?

No specific action is required, and if you are in receipt of your pension this will continue to be paid. The Trustee would draw your attention to the points raised in the letter about being extra vigilant, as well as the sources for further support if required.

Is this related to the USS/ Capita cyber incident?

No, whilst these happened in relatively close proximity, the incident is completely unrelated to the cyber incident, which impacted USS data.

What is phishing?

Phishing is email spam, which attempts to trick individuals into giving away sensitive information or login credentials. Most attacks are not targeted and are instead sent in bulk to a wide audience.

This type of attack can involve sending fraudulent emails or messages that appear to be from a trusted source, such as a bank or government agency. These messages typically redirect to a fake login page where the user is prompted to enter their login credentials. Please note that the Trustee will never send you an email requesting that you email or call us with your bank details.

Who are Experian, and what is their offer?

The Trustee is offering the Experian service to you for 12 months as a precautionary measure. It is not an indication that your data has been affected.

Experian is the largest of the three credit agencies operating in the UK, all of which receive their data from the same source (lenders). You should receive an alert if a new line of credit is opened from any of the three agencies, therefore, you do not need to have accounts with each.

What security does Experian have?

Most modern organisations face a significant number of risks relating to the loss of information. Due to the nature of Experian’s business, they are no different. To defend their data, Experian has developed a best-of-breed security framework based around ISO27001; the cornerstone of which is their information security policy.

As well as their commitment to ensuring that their staff continue to meet Experian’s high standards, they have also made a significant investment in establishing a Global Security function to ensure that security is embedded within Experian’s day-to-day activities across the world.

How do I take up the offer?

We have sent details on how to activate your complimentary Identity Plus membership, this includes your activation code.

You can contact Experian’s Customer Support Centre on 03444 818182. They are open Monday to Friday, 8am to 6pm. Charges for calling 03 numbers are the same as for calls to standard UK landline phone numbers starting 01 or 02 – if your package means you can call 01 or 02 numbers for free – the same will apply to 03 numbers.

I live overseas – will this membership still be appropriate?

If you’re still registered at a UK address, Identity Plus is the correct product for you even if you currently live overseas. However, if you are registered as living at an address overseas and do not have a UK address, please contact us at wellbeing@manchester.ac.uk and we will arrange for you to receive a code for a non-UK product.

What do I get as part of this offer?

Once your membership is activated, you will have access to the following features:

Unlimited access to your Experian Fraud Report.
Credit Alerting – an email or text to let you know when certain changes happen on your Experian Credit Report, such as the addition of a new credit search.
Access to Experian’s CreditLock feature so you can Lock your Experian Credit Report when you’re not applying for credit.
Web monitoring – an alert by email or text which confirms that personal information has been found on the dark web.
Access to Experian’s Victims of Fraud service if you do become a victim of fraud, who will support you in resolving fraud that has occurred.
If you are at higher risk of fraud, Experian can add protective Cifas registration to your Credit Report which can help prevent credit being taken in your name.

What if I have already taken up the Experian offer?

The Trustee is aware that some members may have already taken up the Experian offer, either through the University or by being a member of USS, which was also impacted by a separate cyber incident earlier this year.

Anyone who set up an Experian account after one of these offers do not need to set up another account – the same service (Identity Plus, Experian’s enhanced offer) is being offered in this circumstance. If you have already taken up the Identity Service via the USS, you will be able to take the Trustee offer as an additional second year but will require a new activation code – the one sent during this period is valid for three months.

Where this applies, we ask you to email wellbeing@manchester.ac.uk to let us know, quoting that you are an UMSS member. In 12 months, we will make additional codes available to these members.