Capita’s own pension scheme suffered data breach in March hack

Receive free Capita PLC updates

We’ll send you a myFT Daily Digest email rounding up the latest Capita PLC news every morning.

Members of Capita’s own pension fund have been told that their data was stolen in a cyber attack in March that affected dozens of private sector retirement schemes using the outsourcer’s administration services.

“We are informing those we have identified to be affected by the incident, and Capita colleagues are being contacted where necessary as part of that process,” the company said, without giving any details.

The notification sent to Capita’s pension fund members, first reported by the Times, comes more than three months after the hack. The outsourcer said investigations were still ongoing.

The revelations folow the trustee of the PwC pension fund warning members of its defined benefit scheme late last month that dates of birth and retirement had been accessed during the Capita hack. Members had been told in May that names, data including national insurance numbers and member ID numbers could have been compromised. 

In its latest letter to members, the PwC pension trustee said that “Capita could not confirm to us that this information was final, complete and accurate”.

Details of over half a million members of UK’s private sector pension schemes may have been stolen in the Capita cyber attack. USS — the UK’s biggest private sector pension plan — warned in May that the personal data of about 470,000 members may have been stolen during the hack.

The pension schemes of Pearson, Marks and Spencer, Diageo, Unilever, and BAE said that their members’ personal data was likely to have been stolen.

While many affected members have been offered access to a monitoring service, some have said this is insufficient. One USS member described it as a “non-solution that places the onus on the victims to monitor our own potential identity theft”.

Many of those affected have been distressed. “In a way I feel I would like to change my complete identity,” said one PwC pension fund member. “There’s so much of me that’s now out in the hands of somebody else who can choose to use it however they want.”

Capita said it had used third-party consultants to monitor the dark web since the cyber incident occurred and there had been no evidence of any data for sale.

Many pension scheme members are considering taking legal action, with law firm Barings Law initiating proceedings with a pre-action letter to Capita last month in response to the recent data breaches.

The outsourcer handles the data of hundreds of private and public sector clients, including the BBC and the Royal Navy. The cyber attack also affected NHS England, with files containing names and NHS numbers of deceased and deregistered patients among the documents accessed.

Capita has also been criticised for the handling of a separate incident involving its work with local councils after some of its data was stored on an unsecured Amazon data bucket at the end of April.

Despite the fallout, Capita has continued to win contracts. The City of London Police announced in June that the outsourcer had been appointed to operate a contact centre for the reporting of fraud and cyber crime.