The ICO is receiving a large number of reports about the Capita data breaches 

ICO website Home Screen

The Information Commissioner’s Office (ICO) – which is the UK’s data protection regulator – has published a statement about the Capita data breaches.

The statement reveals that the ICO is receiving a large number of reports about two data protection breaches at Capita – one of the UK’s most prominent business process outsourcing and professional services companies.

Capita Data Breach One

The first data breach relates to a ransomware cyber-attack that happened in March 2023 when criminals exfiltrated some data from Capita’s servers.  

Capita provides outsourced pension administration services to over 450 pension providers across the UK and several of them have confirmed that they are affected by the breach. So far, we believe that over half a million UK pension holders   could be affected by this data security incident.  

Personal data, including names, dates of birth and National Insurance numbers may have been accessed by hackers. Other valuable information may also have been compromised and we understand financial/bank details were also affected.

Capita Data Breach Two

The second data breach relates to the use of publicly accessible storage. Colchester Council has shared its “extreme disappointment with Capita” after benefits data for 2019-20 and 2020-21 was found on an unsecured storage platform (an unsecured Amazon Data Bucket controlled by Capita). This data security incident is believed to affect several other local authorities. 

The bucket which contained more than half a terabyte of data, had been exposed online and unprotected by a password since 2016. Capita claims that that no personal bank account details have been compromised in this incident.  

The ICO’s statement on the Capita data breaches

The statement from the IC), which was posted on 26 May 2023, reads:  

“We are aware of two incidents concerning Capita, regarding a cyber-attack in March and the use of publicly accessible storage. 
“We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making enquiries. We are encouraging organisations that use Capita’s services to check their own position regarding these incidents and determine if the personal data they hold has been affected. If necessary, consider reporting a data breach to the ICO and we will use this information to inform our next steps. 
“Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms. If an organisation decides that a breach doesn’t need to be reported, they should keep their own record of it and be able to explain why it wasn’t reported if necessary.” 

Can you claim compensation for the Capita data breaches?

At KP Law, our cyber experts are investigating the breaches to find out what happened and who is affected.  

If you receive notification that you are affected by a Capita data breach, register below to receive updates on our investigation. We’ll let you know what’s happening, and if you can make a no-win, no-fee data breach compensation claim. 

In March 2024, our firm changed its name to KP Law. 

Share this article: