UPDATE: Exchange of emails with Rosemarie McClean, Chief Executive of Pension Administration, UNJSPF, about the potential security breach related to the publishing on Facebook of personal data of UNJSPF Fund members by a third party on April 18, 2021.
From: Loraine Rickard-Martin
To: Rosemarie McClean
Cc: Martha Helena Lopez, Maria Luiza Ribeiro Viotti
Date: Fri, Apr 23, 2021 at 6:01 PM
Subject: Re: Open message: UNJSPF potential security breach: Publishing of personal data of UNJSPF Fund members by a third party
Dear Rosemarie,
Thank you for your response. I am gratified to note that the Fund will “do [its] utmost to make sure pension payments continue" for retirees lacking 2020 Certificates of Entitlement. However, you provide no assurance regarding my concern that given the particular communications and other challenges of Covid-19, the Fund should “ on humanitarian grounds, refrain from any suspension of benefits until the situation of each retiree can be satisfactorily clarified.”
You imply, by stating that the Fund “look[s] to further strengthen the handling of personal data with the associations {FAFICS]”, that the Fund intends to continue sharing retirees’ personal data with an organization that has just been caught mishandling such data, at least for “400 retirees and beneficiaries …published on a social network by a local retiree association”, according to this post on the Fund’s website dated 19 April:
The list of retirees' personal data that was published on Facebook, pertained to UNICEF retirees only. Your response does not allay the concern I raised in my message that data from “the UN and its funds, programmes and agencies in the same situation, were also similarly shared with FAFICS” and similarly mishandled.
How can the Fund be confident that the mishandled data was confined to the 400 UNICEF retirees in question and that data of retirees from the UN or its funds and programmes, was not similarly mishandled by FAFICS? My experience with FAFICS, which is shared by many retirees, of whom the vast majority (75 per cent) are not members of FAFICS, does not inspire confidence concerning any of its activities.
While I appreciate your response, it also does not answer my stated concern about “specific steps [is] the Fund [is] taking to inform its members about the extent of the security breach”, information that the Fund clearly does not currently have, since its post of 19 April limits the security breach to a single case about which it is aware. Yet, it is undoubtedly the Fund's responsibility to perform its own due diligence and not rely on the word of any third party. Until that occurs, and with all good intentions, you will continue to be unable to address my concern about how the Fund intends to “mitigate the risk of members’ data being compromised”.
With appreciation and regards,
Loraine
CLICK BELOW TO READ MORE
From: Rosemarie McClean
To: Loraine Rickard-Martin
Cc: Martha Helena Lopez, Maria Luiza Ribeiro Viotti
Date: Fri, Apr 23, 2021 at 3:19 PM
Subject: RE: Open message: UNJSPF potential security breach: Publishing of personal data of UNJSPF Fund members by a third party
Dear Loraine,
Thanks for your further message.
Please rest assured that the Fund’s main concern is to prevent the suspension of benefits whenever possible, and we will do our utmost to make sure pension payments continue. It is a fact that retirees/beneficiaries are spread across the world, making it challenging to reach and locate retirees/beneficiaries with missing certificates of entitlement.
While I don’t want to minimize the incident, associations of retirees have been extremely helpful over the years in helping to prevent thousands of suspensions of benefits.
In light of what happened, we have taken action and look to further strengthen the handling of personal data with the associations.
Regards,
Rosemarie
Rosemarie McClean | Chief Executive of Pension Administration
United Nations Joint Staff Pension Fund (UNJSPF)
_____________________________________________________________________________
From: Loraine Rickard-Martin
To: Rosemarie McClean
Cc: Martha Helena Lopez, Maria Luiza Ribeiro Viotti
Date: Wed, Apr 21, 2021 at 1:12 PM
Subject: Re: Open message: UNJSPF potential security breach: Publishing of personal data of UNJSPF Fund members by a third party
Dear Rosemarie,
I appreciate your prompt response. Here are my further comments about the incident in question.
You state that “the posting of the data was an error, done wholly without the Fund’s authorization.”
The data emanated from the Fund
The Fund did not authorize the posting of the data on Facebook. However, the data could only have emanated from the Fund, and someone from the Fund had to have authorized the data being shared with the purported retiree organization (FAFICS) that resulted in the misuse of sensitive information, and a potential security breach of the data of all Fund members.
You state: "we continue to consider effective ways of reaching out and ensuring that retiree benefits continue in payment as part of the annual Certificate of Entitlement exercise."
What efforts is the Fund making to locate retirees with missing CEs?
Besides soliciting the assistance of FAFICS (the sole subject of the use of the word "collusion" in a 2018 internal governance audit of the Fund (A/73/341, 6 September 2018, paragraph 27) whereby the Fund used its internal email system to disseminate misinformation by FAFICS, what other methods is the Fund employing to contact its members who have not submitted their 2020 CEs and are at risk of having their benefits suspended but are presumably currently still receiving benefits?
Why could the Fund not make constructive use of its internal email system to solicit the assistance of its beneficiaries in locating other retirees with missing CE’s, without of course disclosing information such as pension fund numbers or other sensitive data?
Why is the Fund unable to locate retirees with missing CEs through the same method by which they are receiving payments – a financial institution, a UN office, or the street address on the Fund’s files? The UN, after all, has offices of its funds, programmes and agencies, in every corner of the globe.
A humanitarian approach during Covid-19
May I take it that your statement means that the Fund will continue to make every effort to avoid suspension of the benefits of any retiree? Particularly during Covid-19 where Fund members around the world may be experiencing obstacles that include communication, the Fund must make extraordinary efforts to reach retirees without 2020 CEs and in the meantime, on humanitarian grounds, refrain from any suspension of benefits until the situation of each retiree can be satisfactorily clarified.
What specific steps is the Fund taking to maximize service to its members that do not include sharing sensitive information with external bodies or persons, that could put the data of all Fund members at risk of a security breach?
You state that the Fund “is taking the appropriate steps to ensure that it does not happen again ...”
The security breach persists
While your statement can be interpreted to mean that the Fund will ensure that it does not in future share sensitive information with any external person or body, including FAFICS, the fact is that deletion of the post from Facebook does not eliminate the problem of the security breach, since the data that was posted, and whatever data on other retirees that was otherwise disseminated (again the post on Facebook was only about UNICEF retirees) may still be at risk of further dissemination.
You state that the Fund is "taking the appropriate steps ...to address the breach with the Fund's retirees."
What is the extent of the security breach?
The data posted on Facebook was for UNICEF retirees with missing CEs only. I understand that the l data included additional personal information that was deleted before the list was disseminated.
It stands to reason that data for retirees from the UN and its funds, programmes and agencies in the same situation, were also similarly shared with FAFICS, and by FAFICS with other bodies. That could mean, in my estimation, based on the number of persons on the UNICEF list that was posted, that the date of hundreds or even thousands of retirees could be compromised.
What specific action is the Fund taking to address the security breach?
Finally, what specific steps is the Fund taking to inform its members about the extent of the security breach and to mitigate the risk of members’ data being compromised?
Again, thank you for your prompt response and attention.
Sincerely,
Loraine
______________________________________________________________________
From: Rosemarie McClean
Cc: Martha Helena Lopez, Maria Luiza Ribeiro Viotti
To: Loraine Rickard-Martin
Date: Tue, Apr 20, 2021 at 12:17 PM
Subject: RE: Open message: UNJSPF potential security breach: Publishing of personal data of UNJSPF Fund members by a third party
Dear Ms. Rickard-Martin,
Thank you for your email and the concerns that you raised, which I have noted.
The posting of the data was an error, done wholly without the Fund’s authorization. We are taking the appropriate steps to ensure that it does not happen again and to address the breach with the Fund’s retirees.
In the context of your comments, we continue to consider effective ways of reaching out and ensuring that retiree benefits continue in payment as part of the annual Certificate of Entitlement exercise.
Best regards,
Rosemarie
Rosemarie McClean | Chief Executive of Pension Administration
United Nations Joint Staff Pension Fund (UNJSPF)
______________________________________________________________________________
From: Loraine Rickard-Martin
To: Ms. Rosemarie McClean, Chief Executive of Pension Administration
Copy: Ms. Martha Helena Lopez, UNJSPF Board Chair
Copy: Ms. Maria Luiza Ribeiro Viotti, Chef de Cabinet
Sunday, April 18, 2021, 3.14 pm
Subject: RE: Open message: UNJSPF potential security breach: Publishing of personal data of UNJSPF Fund members by a third party
Dear Ms. McClean,
As you are clearly aware, because apparently (see below) the Fund's legal office has intervened, the personal information of a number of Fund members was published on Facebook. This security breach occurred in the early hours of this morning, 18 April 2021, and was removed at around 11 am EST.
I am concerned that action taken in response to this incident is insufficient to mitigate its potential deleterious effects regarding Fund data on any or all participants and beneficiaries, since the original list with personal identifying information could have been saved by any number of recipients and continue to be disseminated.
The original message (below), bearing the heading of “XUnicef News and Views” is signed by Carlos Santos Tejada, identifying himself as “one of the VPs of FAFICS (Federation of Associations of Former International Civil Servants)." It was posted on Facebook by a Fund retiree from UNICEF.
You will note that while the message does not emanate from the UNJSPF, it displays the Fund's logo, adding an element of misrepresentation.
Alarmingly, the original message (later revised) included a link to a list containing not only the names of dozens of UN Pension Fund members and their countries of residence, but their pension fund identification numbers as well.
Currently the link in the “XUnicef” message connects to a revised message (also below), new text in yellow highlights, as follows:
“UPDATE: Out of privacy concerns the Legal Officer at UNJSPF has requested that Carlos remove the list of former staff who are in danger of losing access to their pensions. We regret the inconvenience.
Members can check their status on the UNJSPF website by logging in to Member Self-Service by clicking here or at:
Link to member Login page." (Not published here for security reasons).
At the time of reading the original message, early this morning, I checked the Fund’s website and found no corresponding information or list related to Fund members at risk of suspension of their benefits “due to a lack of the 2020 Certificate of Entitlement”.
While I understand the practicality of enlisting assistance from retiree organizations for this purpose, I trust you will agree that FAFICS, or any other individual or organization, has no right to the personal pension information of any UNJSPF member, and not only because a vast majority of Fund members are not members of FAFICS.
I would like to add a comment related to escheatment, or unclaimed funds -- an unrelated issue but one involving publicity -- where other financial institutions have adopted the practice of making information publicly available. This is a matter that has long been unaddressed and on which the Fund is overdue to adopt an effective policy.
Needless to say, that issue, and the issue of missing CE's in question, must be scrupulously handled in a manner that respects the Fund's security protocols.
Now that the list with personal identifying information has been disseminated, through FAFICS and Facebook, I am writing as a Fund beneficiary, to ask that you urgently inform Fund members of the potential security breach, including how you will ensure that this information cannot be used to compromise the Fund’s data either related to the persons concerned or to any other UNJSPF participant or beneficiary.
Thank you for your attention.
Sincerely,
Loraine Rickard-Martin
Beneficiary, UNJSPF
(CLICK 'READ MORE' TO SEE ATTACHMENTS)
----------------------------------------------
URGENT ACTION NEEDED by 21 MAY 2021 - Help Find Former UNICEF Staff Facing Suspension of UN Pensions : Carlos Santos-Tejada
PLEASE HELP CONTACT THE FORMER STAFF LISTED ON LINKS BELOW
As one of the VPs of FAFICS (Federation of Associations of Former International Civil Servants), we have been requested by the Pension Fund to make our best efforts to contact retirees and other pension beneficiaries who are at risk of having their pension payments suspended due to the lack of the 2020 Certificate of Entitlement. As you can see from the message reproduced below, there is a process in place to prevent such suspension from taking place.
Please attempt to reach as many of those listed, by word of mouth from acquaintances and former colleagues.
Warmest regards,
Carlos Santos Tejada
Comments
https://xunicefnewsandviews.blogspot.com/2021/04/urgent-action-needed-by-21-may-2021.html?fbclid=IwAR10vuUThEji1ONgCCdPJCxf3vxxMRGKfHH67keWJ_6qwUpFhUAkdtua928
URGENT ACTION NEEDED by 21 MAY 2021 - Help Find Former UNICEF Staff Facing Suspension of UN Pensions : Carlos Santos-Tejada
PLEASE HELP CONTACT THE FORMER STAFF LISTED ON LINKS BELOW
UPDATE: Out of privacy concerns the Legal Officer at UNJSPF has requested that Carlos remove the list of former staff who are in danger of losing access to their pensions. We regret the inconvenience.
Members can check their status on the UNJSPF website by logging in to Member Self-Service by clicking here or at:
Link to Member Login page. (Removed for security reasons.)
As one of the VPs of FAFICS (Federation of Associations of Former International Civil Servants), we have been requested by the Pension Fund to make our best efforts to contact retirees and other pension beneficiaries who are at risk of having their pension payments suspended due to the lack of the 2020 Certificate of Entitlement. As you can see from the message reproduced below, there is a process in place to prevent such suspension from taking place.
Please attempt to reach as many of those listed, by word of mouth from acquaintances and former colleagues.
Warmest regards,
Carlos Santos Tejada
Comments
No comments:
Post a Comment