In March 2023, Capita experienced a ransomware cyber-attack. This breach affected several of Capita’s clients, most notably those it provides pension administration services to. And that’s no small number as Capita currently supports over 450 clients in the UK.
Anyone who has a pension with one of these companies may have had their data stolen.
Our investigators believe that the Russian-based ransomware group BlackBasta was likely responsible. The criminals claimed they had the Capita data in a now-deleted online post. Capita has declined to comment on whether it paid the ransom.
As yet, we do not have a definitive list of all the data that has been compromised in this hack. However, reports have speculated that names, dates of birth, retirement dates, and National insurance numbers are at risk. And now, a letter from trustees of the PwC pension scheme states that ‘Capita could not confirm to us that this information was final, complete and accurate’.
As a result, victims of the Capita data hack are left not knowing what personal data is in the hands of cybercriminals. Or what they will do with it. This has left pension holders worried that the stolen data could include their bank account details. Certainly, this has not yet been ruled out.
Who is responsible for the Capita data hack?
While it was Capita that was breached, the schemes that use Capita’s services remain “responsible for the security of” their members’ data. Following the data breach, The Pensions Regulator (TPR) advised trustees of those schemes to “check whether your pension scheme’s data could be affected”, and to contact their members “proactively to warn them about pension scams “.
Capita has yet to confirm how many of its clients were impacted. However, we do know that the following pension plans may have had member data stolen:
- The Universities Superannuation Scheme (USS). The USS is the biggest private sector pension plan in the UK. Around 470,000 members may have had their detail stolen in the Capita cyber-attack.
- Marks & Spencer. In 2021 the scheme had 106,000 members with about 53,000 of those pensioners.
- Diageo. The drinks maker has said that around 32,000 pension members have been affected by the incident.
- Rothesay. Around 50,000 individuals are thought to be affected.
- PwC. A letter from the trustees of the PwC pension scheme confirms that member data has been exfiltrated.
- Unilever. Capita has confirmed that some Unilever member data may have been accessed by the unauthorised third party.
- BAE Systems.Following a detailed investigation, Capita notified the Trustee that, personal details of approximately 8,000 pensioner members with SIPS benefits were included in copies of the data that were taken by the cyber attackers.
Are pension holders at risk?
Unfortunately, yes. And to ensure they do not fall victim to further attacks, affected pension holders must be vigilant.
At KP Law, we have seen victims of similar data breaches become the target of cybercriminals, with instances of phishing, fraud, and identity theft. Our data protection experts strongly advise anyone involved in this breach to be vigilant and take necessary precautions.
The affected pension plans should be writing to their members to inform them about the breach and provide additional advice on how to stay safe.
If you receive notification that you are affected by the Capita data breach, register below to receive updates on our investigation and join our no-win, no-fee data breach compensation claim.
