Skip to content

NorthgateArinso Involved In Pensions Trust Data Breach

One of my professional standards is “get the basics right”.  Advanced and perhaps fancy stuff won’t work properly and almost certainly leave you open to major embarrassment if/when it falls over.  To use one of my catchphrases, it isn’t rocket science.

Step forward NorthgateArinso who have had a laptop stolen from their offices.  Yes, it  contained personal details.  Yes, it was unencrypted.  This from a company which claims

NorthgateArinso: delivering HR excellence

NorthgateArinso is a leading global Human Resources software & services provider offering innovative HR business solutions to employers of all sizes, including Global Fortune 500 companies and many Public Sector organizations.

We help HR executives optimize their HR service delivery through smarter process and more efficient technology, supporting key HR areas like workforce administration, multi-country payroll, benefits, recruitment, learning, and talent management.

Doesn’t NorthgateArinso’s skillsets of excellence include basic IT security like encrypting laptops?  Matthew Henty’s blog details the specifics of the data that went AWOL.  I have a copy of the letter that went out from The Pensions Trust so can confirm that the data on the lifted laptop includes name, address, date of birth, National Insurance number, name of employer, salary details, name of and relationship to nominees and, for those drawing a pension, bank account details.

As if that isn’t bad enough, said laptop was being used for a “database for development, training and performance testing.”

That’s marvellous.  Using live data for a testing regimen?  How lazy is that?  One of the first things you should do when testing systems is to use test data rather than live data.  I remember being told that in school lessons when I was 13!  That’s 24 years ago.  It’s not a new idea.  Yet it is one which NorthgateArinso seem to have ignored.

Matthew asks the same questions I am and makes a very interesting point

Why were they using live data for training and testing? Why wasn’t the laptop encrypted? Why wasn’t the laptop physically secured? The UK Director, Alex Freeburn, has 18 years experience in the IT industry. Why did he not have in place the procedures to prevent this sort of loss?

Ultimately that has to come down to bad management.  Nearly twice as much experience as me in the IT industry and yet this happens on his watch.

One must also ask who at The Pensions Trust authorised the use of live personal data for a testing database?

The Pensions Trust say in their letter that they have

withdrawn access to personal member data from NorthgateArinso and have also instructed them to delete any existing personal data they hold

As an IT professional I am almost speechless at what I see as a total lack of professionalism from NorthgateArinso.  The Pensions Trust may well be at fault for not checking thoroughly or insisting that dummy data be used but the final responsibility rests with NorthgateArinso.

The questions Matthew Henty has raised deserve a full, honest and spin-free response.

NorthgateArinso Don't Compromise

The “don’t compromise” image above is from Alex Freeburn‘s page on the NorthgateArinso website.  Well Alex, I’ve got to tell you that somebody compromised.

To the tune of 109,000 Pensions Trust members’ personal data.

Published inbad managementOh bugger there goes some very personal data