FCA contacts Capita’s clients over cyber attack

The UK financial regulator has contacted clients of Capita, the outsourcer which suffered a cyber attack in March, urging companies including insurers and pension funds to determine customer data losses from the data breach.

The involvement of the Financial Conduct Authority comes amid growing concerns over what the hackers may have accessed. Over the weekend, The Pensions Regulator confirmed it had written to the hundreds of pension funds that employ Capita to help administer their payment systems, urging them to “determine whether there is a risk to their scheme’s data”. 

“We have continued to engage with Capita since their cyber incident was reported to understand the extent of any data compromise and impact on the firms they provide outsource services to including their underlying customers,” the FCA told the Financial Times.

FCA declined to comment any further, but said it was coordinating with other authorities.

The FCA said: “We have also written to FCA regulated firms that are clients of Capita to ensure they are fully engaged in understanding the extent of any data compromise.” It added that it was the responsibility of the companies to notify regulators, including the Information Commissioner’s Office (ICO), as well as affected consumers.

Firms contacted by the FCA include insurance companies which also use Capita for their administration services. Bulk annuity providers Pension Insurance Corporation (PIC), Rothesay and Just Group use Capita’s systems to manage things such as pension payments and customer communications, while FTSE 100 insurers Phoenix Group and Aviva also use the outsourcer for a segment of their customers, according to people familiar with the matter. One said the risk of data loss remained an “open question”.

“There is no evidence currently to suggest that any of our customers’ data was accessed. We continue to work closely with Capita,” said Aviva. The other insurers declined to comment.

PIC has employed a third-party specialist that has not uncovered any evidence of data loss, according to a person familiar with its position. Capita has provided “verbal confirmation” to Phoenix that its customers had not been affected, someone familiar with the interaction said.

The FCA said it had also been coordinating with “other relevant authorities”, including the ICO. The FCA declined to comment further.

Capita is a major outsourcer to both the private and public sectors and is one of the UK government’s biggest contractors. The company provides IT services among its businesses, which also include running the London congestion charging zone, collecting the BBC licence fee and overseeing training for the Royal Navy.

It also delivers services to medical practitioners in England, assisting GPs, dentists, opticians and pharmacists with the ordering of medical supplies, the accessing of medical and pension records, and the processing of payments.

In late March Capita first disclosed an “IT issue” that left staff unable to access some systems and disrupted services provided to local authority clients.

Last month Capita said it had experienced a “cyber incident” which had primarily impacted access to internal Microsoft Office 365 applications and subsequently confirmed the data breach. It said the incident affected about 4 per cent of its servers, and that it had found “some evidence of limited data exfiltration”.

“Capita has already confirmed that it continues to comply with all relevant regulatory obligations,” the group said in a statement to the FT.

In a letter, which was first reported by the Sunday Times, the Pensions Regulator asked trustees of more than 300 schemes to contact Capita to find out whether their data could have been caught up in the breach.

USS, the UK’s largest private-sector pension plan, said it was “currently not aware of any impact” on its data, following the cyber attack, but that it was “liaising closely” with Capita.

The ICO declined to comment beyond its statement in April, where the authority confirmed that Capita had reported the incident, and it was “assessing the information provided”.