The Pensions Trust have written to some of their members to inform them that NorthgateArinso, “delivering HR excellence”, have had an unencrypted laptop containing personal details stolen from their offices.
The personal details stolen, for members of six of the Pensions Trusts 39 schemes (as of May 2007) were:
- date of birth
- National Insurance numbers
- name of employer
- salary details
- information on nominees (name and relationship)
- bank account (for those in receipt of a pension)
That is quite a list. Apparently NortgateArinso were using the now stolen laptop as a, “database for development, training and performance testing.” Why were they using live data for training and testing? Why wasn’t the laptop encrypted? Why wasn’t the laptop physically secured?
The Pensions Trust have reported the loss to the Information Commissioner, and attempt to reassure members that, “the data was password protected and as such, not easily accessible.” and that, “NorthgateArinso regret that this theft has occurred and are doing everything possible to retrieve the data” but I suspect it is too late.
Scans of letter and factsheet from Pension Trust below the fold.
UPDATE: This is now in the media: BBC News, Professional Pensions, The Register. Also commentary from Jamie Dowling at View From Planet Jamie and logged at DataLossDB and the Open Rights Group UK Privacy Debacles wiki.