What exactly happened?
An employee of Blue Sky Group recently accidentally gave access to a mailbox after receiving a phishing email. Unfortunately, this allowed hacker(s) to get hold of certain personal data. This concerns data of those involved with the pension funds for which we work, with the Blue Sky Eagle fund and with the Blue Sky Group itself.
What data has been leaked
Based on the information we now have, the following information has almost certainly been leaked: For participants for whom a pension payment or value transfer was made, the following data was leaked:
- Name and address details
- Policy numbers
- Pension amounts
- Payment details
Preliminary analysis indicates that there is a low probability that personal data has been leaked from participants who are not yet retired.
Is the payment of pension benefits in danger?
No, the data leak is separate from regular, procedural work. All payments will continue as usual, just like all other administration activities. We are, however, extra alert to attempts at swindling or fraud. To this end, stricter measures have been taken. For example, extra checks have been made in our payment processes.
The data breach also meant that no access was gained to the pension fund's assets, so no money was lost.
Has anyone's data disappeared?
No, all the data is still available, so that we can continue to do our work as usual and (personal) data does not need to be resubmitted.
Do people have to install new passwords?
This is not necessary. Passwords are not part of the leak.
Who are the hackers?
We do not know. We have no contact with them.
Have you reported the incident?
We have reported the incident to the Personal Data Authority. In addition, Blue Sky Group will file a report with the police.
Can the hackers use the captured data to start making payments in someone else's name, causing people to lose money?
No, hackers themselves cannot make direct payments from other people's bank accounts. This requires the cooperation of participants. This cooperation can be requested through so-called phishing mails. We ask all those involved to be extra alert to this.
What are the concrete consequences for participants?
There is a possibility that those who now wrongfully have certain personal data at their disposal will try to impersonate someone else. With this they can approach companies or banks, for example, to change things. They are very alert to this nowadays.
Another possibility is that they are approaching pension fund members by mail or phone pretending to be employees of BSG or IFF pension fund. We have emailed and/or sent a letter to everyone with instructions:
- Pay close attention to the sender, email address and spelling errors;
- BSG or the pension fund never ask for passwords or changes in payment details by email, nor do they ask you to click on links or just refund money;
- If in doubt, contact the pension fund via the regular channels to check whether an e-mail is authentic;
- Report phishing and any other fraudulent contacts to BSG so that we can take further action;
Have any related phishing emails been received to date?
To date, four suspicious phishing emails have been received and one suspicious phone call. One email of this came in to another pension fund. Due to their very well functioning systems, the email was immediately identified as suspicious and was not responded to.