List of UK pension funds that are not secure by default

By Stephen Kellett
18 December, 2017

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

I thought it would be interesting to look at each bank in the UK to see if when you visit their company homepage, is that secure by default? That is, is the page loaded by HTTPS? There are more tests than this that you could do, but that’s the baseline. If they can’t meet that then the other tests are meaningless.

Some banks provide the website in both http and https versions. This is bad practice. If someone visits the website as http then the customer should be served the https version of the page.

Also please note, these test results are for a desktop computer visiting the website. A mobile phone may well get a different experience. In other words desktop visitors may get a secure site, but mobile visitors might not. Or vice versa.

The following key is used for the secure status:

YesThe site is secure, loaded via https
DualThe site can be loaded via http, or via https.
InvalidThe site loads via https, but the security certificate is invalid and thus the site is insecure.
PartialThe site loads via https, but loads some parts of the page without https. The site is insecure.
NoThe site is loaded via http, not via https.
FixedThe site is loaded via https, but at the time of first writing it was loaded via http.
??We could not find a website to evaluate.

We tested 28 pension funds. We found 8 pension funds that did not have a secure home page (not https or did have https with an invalid security certificate). That is 29% of UK pension funds have security vulnerabilities.

Pension FundSecureHome Page
Aviva Staff Pension SchemeNohttp://www.avivastaffpensions.co.uk/retired/default.aspx
BAE Systems Pension SchemeYeshttps://www.baesystemspensions.com/
Barclays Bank UK Retirement FundYeshttps://epa.towerswatson.com/accounts/barclays/
BBC Pension Trust LtdNohttp://www.bbc.co.uk/mypension/join
BP Pension FundYeshttps://pensionline.bp.com/Homepage
British Airways Pension SchemeYeshttps://www.mybapension.com/
British Coal Staff Superannuation SchemeYeshttps://www.bcsss-pension.org.uk/
British Steel Pension SchemeYeshttps://www.bspensions.com/
BT Pension SchemeYeshttps://www.btpensions.net/
Co-operative Group Pension Scheme (Pace)Yeshttps://pensions.coop.co.uk/
Electricity Supply Pension SchemeYeshttps://megtpensions.com/contact-us/
Greater Manchester Pension FundYeshttps://www.gmpf.org.uk/
HBOS Final Salary Pension SchemeYeshttps://www.lloydsbankinggrouppensions.com/
HSBC Bank UK Pension SchemeNohttp://www.futurefocus.staff.hsbc.co.uk/
ICI Pension FundNohttp://www.icipensionfund.org.uk/
Lloyds TSB Group Pension SchemeYeshttps://www.lloydsbankinggrouppensions.com/
Mineworkers Pension SchemeYeshttps://www.mps-pension.org.uk/
National Grid UK Pension SchemeYeshttps://www.nationalgridpensions.com/362/1320/welcome-to-the-national-grid-uk-pension-scheme-website
Railways Pension SchemeYeshttps://www.railwayspensions.co.uk/
RBS Group Pension FundYeshttps://rbs.tbs.aon.com/
RBS Group Pensioner’s AssociationNohttp://rbsgpa.org.uk/
Rolls-Royce Pension FundYeshttps://www.rolls-roycepensions.com/Homepage
Royal Mail Pension PlanYeshttps://www.royalmailpensionplan.co.uk/
Shell Contributory Pension FundNohttp://pensions.shell.co.uk/scpf.html
Strathclyde Pension FundYeshttps://www.spfo.org.uk/
Universities Superannuation SchemeYeshttps://www.uss.co.uk/
West Midlands Pension FundNohttp://www.wmpfonline.com/
West Yorkshire Pension SchemeNohttp://www.wypf.org.uk/

Commentary

It is surprising to see the pension funds of some banks are insecure, even though the banking website for it’s customers are secure.

While I find it very worrying that some banks and wealth managers etc are not secure, people whose funds are in a pension, that is often their only form of income, thus if access to the pension fund become compromised for a particular person, that could be all their future income being erased. This is not a pleasing prospect. As with banks, wealth managers, etc, these pension funds should manage their security with greater care and diligence.

Fully functional, free for 30 days