In March 2023, Capita experienced a cyber-attack. Capita is one of the UK’s most prominent business process outsourcing and professional services companies. Following the security incident, criminals exfiltrated some data from Capita’s servers.
Capita currently provides pension administration services to over 450 clients in the UK. Following the breach, The Pensions Regulator (TPR) reminded those schemes that used Capita’s services that they were “responsible for the security of” their members’ data and advised affected trustees to “check whether your pension scheme’s data could be affected”. The TRP also warned affected schemes to contact their members “proactively to warn them about pension scams “.
Which pensions are affected by the Capita data breach?
Capita has yet to confirm how many of its clients were impacted. However, we do know that the following pension plans may have had member data stolen:
The Universities Superannuation Scheme (USS)
The USS is the biggest private sector pension plan in the UK. Around 470,000 members may have had their detail stolen in the Capita cyber-attack.
Various local authorities are involved, including:
- Colchester City Council
- Coventry City Council
- Adur and Worthing Councils
- Rochford District Council
- Derby City Council
- South Staffordshire Council.
Colchester Council has shared its “extreme disappointment with Capita” after benefits data for 2019-20 and 2020-21 was found on an unsecured storage platform in a separate data breach incident.
Marks and Spencer pension scheme
In 2021 the scheme had 106,000 members with about 53,000 of those pensioners.
Diageo pension scheme
The drinks maker has said that around 32,000 pension members have been affected by the incident.
Unilever pension scheme
Capita has confirmed that some Unilever member data may have been accessed by the unauthorised third party.
Rothesay pension scheme
Around 50,000 individuals are thought to be affected.
Capita also has contracts with the NHS, National Cyber Security Centre, the Cabinet Office, the MOD, and other government agencies.
What data has been accessed in the pension data breach?
We have yet to find all the data that has been compromised. But according to USS, the following member data may have been accessed by hackers:
- Names
- Dates of Birth
- National Insurance numbers
According to reports, the data might include other valuable information – possibly including sensitive and special category data. We understand financial/bank details were also included.
Are pension holders at risk?
While it is not yet clear if the data held on Capita’s servers was definitely accessed or copied by the hackers, to ensure they do not fall victim to further attacks, affected pension holders should be vigilant.
At KP Law, we have seen victims of similar data breaches become the target of cybercriminals, with instances of phishing, fraud, and identity theft. Our data protection experts strongly advise anyone involved in this breach to be vigilant and take necessary precautions.
The affected pension plans should be writing to their members to inform them about the breach and provide additional advice on how to stay safe.
What are we doing about the Capita data breach?
Our cyber experts are investigating the breach to find out what happened, which pension plans are involved, and how the breach affects members of these plans.
While Capita initially insisted that hackers had simply managed to disrupt the businesses’ internal systems, it is now accepted that the incident was a ransomware attack leading to a potential data breach.
Our investigators believe that the Russian-based ransomware group BlackBasta was likely responsible. The criminals claimed they had the Capita data in a now-deleted online post. Capita has declined to comment on whether it paid the ransom.
Can you make a Capita data breach compensation claim?
If you receive notification that you are affected by the Capita data breach, register below to receive updates on our investigation. We’ll let you know what’s happening, and if and when you can make a no-win, no-fee data breach compensation claim.
