Notification to all Members: Data Incident

DECEMBER 1, 2020

The Cayman Islands Chamber of Commerce Pension Plan is committed to being a responsible custodian of the information you provide to us and the information we collect in the course of operating and providing our pension services.

On 13 November 2020 we became aware that during a routine upgrade of the software used by the Plan’s administrator MUFG, a configuration error meant that certain members were able to access limited member details not related to their own accounts through the self-service portal. MUFG took immediate steps to close down the portal to all members while this system error was investigated.

We are very sorry that this has happened and would like to share the following information to reassure all members that their personal information remains secure. There is no action you need to take, but if you have any further questions or concerns please contact us at 345-943-9125 or 345-943-9130 or by email to pensions@chamberpension.ky

What happened?

The member registry system used to administer the Chamber Pension Plan is facilitated by MUFG as administrator for the plan.

On 7 November 2020, MUFG engaged a third party provider to migrate the registry system software to the latest version.  As part of the migration, the employer/employee self-service portal was disconnected from the old version of the software and connected to the updated version. An error in the configuration of the self-service reports available through the portal following the software update meant that certain members were able to access limited member details not related to their own accounts during the five day period from 8 to 13 November 2020.

What information was accessed?

MUFG has identified that 13 members accessed the online portal and generated either a pdf, csv or excel export of the List of Employees by Employers which was available to them.

Those reports contained the following information:

• Member number within the plan
• Full member name
• Member date of birth
• Two digit country of birth – example KY, US, etc.

During the same period, 15 members attempted to generate the Employer Statement in either pdf, csv or excel. However, only five of those members selected a date range that produced reports for the following periods:

Those employer reports contained:

• Employer names and contact details
• Total employer contribution for the period listed 
• Individual member number but not the member name.
• The contribution amount for the member number for the period searched.

One member generated both the employee report and the employer statement.

Information that was NOT accessed:

No bank information, credit or debit card information, contact information, pension balance information, beneficiary information or other personal information was accessed.  

What steps have we taken?

• The member portal was disabled at approximately 10:50 am on 13 November 2020. No member has been able to access the portal or run reports since that date.
• MUFG immediately contacted its external IT vendor to investigate the configuration error. The online portal will remain closed until this error is corrected and has been thoroughly tested.
• MUFG identified those members who had run reports that were not related to their own accounts. Each of those members has been separately contacted and steps are being taken to ensure that any data that may have been accessed is securely deleted. There is no evidence that any member accounts have been compromised by an external third party.
• MUFG has increased the security verification requirements for all telephone enquiries and password resets as an additional precaution.
• We engaged local counsel and an IT security expert to advise us.

What do you need to do?

There is no action that you need to take.

There is no evidence that any member accounts have been compromised by an external third party. We have put in place additional monitoring measures and will contact you immediately if there is any unusual activity with your account.

Although the risk of identity theft or financial fraud is extremely low based on the information that was accessed, we are offering all members the option to sign up to a third party identity fraud monitoring service at no direct cost to the members.  Please email admin@pensions.ky by January 31, 2021 if you would like us to subscribe on your behalf.

Who has been notified? 

• We have made a notification to the Office of the Ombudsman in accordance with our requirements under the Cayman Islands Data Protection Law.
• We have written to the Deputy Director of Pensions, advising her of the incident.
• Members who ran reports that were not related to their own accounts have been identified and separately contacted, as set out above.

What additional steps are we taking?

 Additional security verification measures have been introduced for all members for telephone enquiries and password resets. We are working alongside MUFG and their provider to ensure that the systems are tested and operational as soon as possible, and also to understand how such an incident came about and what can be done to prevent it in future.

The root cause of this incident has been confirmed as a configuration issue and this is being resolved. An external, independent security assessment will then be conducted to verify that the issue has been resolved successfully.

Who to contact for more information?

 If you have any additional questions please contact us at 345-943-9125 or 345-943-9130 or send an email to pensions@chamberpension.ky

Printable Notification to Members