Master trust Now Pensions has confirmed that some of its members have had their personal data shared online by a service partner.
Reports of a data breach at the 1.8m-member auto-enrolment provider surfaced on Tuesday after the scheme emailed members to inform them.
The Cardano-owned company said in a statement that the leak has impacted fewer than 2 per cent of its membership, and that it is not yet aware of any of the data being used by third parties for malicious purposes.
Patrick Luthi, the company's chief executive, said the incident took place between Friday December 11 and the following Monday.
“Our current understanding is that one of our service partners unintentionally posted some members’ personal data in a public software forum," he said in a statement.
Mr Luthi sought to reassure that the provider has taken swift action: “These actions contravened Now Pensions’ procedures, as specified for all staff and contractors. The data was visible only to users of that forum for a short time and was copied by a small number of unknown parties. We reported this incident to The Pensions Regulator and The Information Commissioner’s Office.
“Protecting our members’ personal data is of the utmost importance to us and we are taking this matter extremely seriously. We acted as soon as we were made aware of the issue," he continued.
Reports have suggested that details shared include members' names, national insurance numbers, addresses and emails, backed up by a forum poster who said they were a Now member.
Mr Luthi said: “Relevant members, fewer than 2 per cent of our total membership, who are affected by this incident (the law sets out thresholds about this) have been sent communications setting out our current understanding of the situation and the steps we are taking to mitigate any risks to their data. We would ask those members to refer to that correspondence. We do not have any evidence that any members’ data is being used by unauthorised third parties.”
The ICO has taken harsh action against large companies involved in data breaches. Ticketmaster was recently fined £1.25m for failing to protect customers' payment details.
The breach has also attracted the attention of claims management firms, such as Your Lawyers, which issued a press release advertising its services to members of the master trust.
Director Aman Johal said: "The sensitive information leaked in the Now Pensions breach, including names, addresses, dates of birth, and National Insurance numbers, could lead to victims being targeted by cyber attacks, fraud and phishing scams. Those affected must be vigilant to the threats that they could now face.
"The [General Data Protection Regulation] is clear when it comes to data protection responsibilities, including for incidents like this that may involve contractors. Those in breach of the GDPR must be held to account and the door is now open for victims to claim."