The BBC has confirmed a breach of its pension scheme, exposing the personal data of many of its employees.
The public service broadcaster revealed that attackers copied files containing some BBC Trust members’ personal details from a cloud-based storage device.
The information includes names, National Insurance numbers, dates of birth and home addresses.
The BBC has apologized for the breach and said it is taking the incident “extremely seriously.”
The Guardian newspaper has reported that the breach has impacted over 25,000 current and former BBC employees, with the corporation’s pension scheme writing to members about the incident.
The BBC said the copied data does not contain any telephone numbers, email addresses, bank details, financial information, usernames or passwords.
The breach also did not involve the pension scheme website or member portal.
No Evidence of Ransomware
The BBC noted that the incident has not impacted the scheme’s operations as the data files involved were copies.
An email from Chair of the BBC Pension Trust, Catherine Claydon told members that there is no evidence that the incident was a result of a ransomware attack, according to The Guardian.
No further information has been given about the nature of the attack, although the BBC said the source of the incident has been secured.
The corporation added: “We are working at pace with specialist teams internally and externally to understand how this happened and have also put in place additional security measures to monitor the situation.”
There is currently no evidence that the affected files have been misused, with specialist teams continuing to monitor the situation.
However, given the nature of the data accessed, the BBC is warning impacted employees to be vigilant for unsolicited and unexpected communications that request personal details or ask them to take unexpected steps.
This includes unexpected letters, telephone calls, texts or emails and information that refers you to a web page.
Impacted BBC Employees at Significant Risk
Cybersecurity experts highlighted the potential risks that could be posed to individuals whose personally identifiable information is exposed in this way.
Gerry Bruin, Threat Specialist at Adarma, explained that typically, these details will be sold on various dark web marketplaces allowing other actors to purchase and use them for purposes such as fraud, identity theft and spear phishing attacks.
He advised: “Anyone who finds their PII compromised should pay close attention to their bank and credit card accounts for any unusual activity, as well as their emails for potential phishing. There is the option of using various identity monitoring services in these circumstances to try and mitigate the threat.”
Additionally, a successful spear phishing attack against a current employee could allow cybercriminals to bypass security protocols to breach other BBC systems.
The BBC was reportedly impacted by the MOVEit zero day vulnerability, used by attackers to target thousands of organizations in 2023.
Image credit: Peppy Graphics / Shutterstock.com