M&S and Diageo pension plans hit by Capita cyber attack

Tens of thousands of members of the Marks and Spencer and Diageo pension schemes have been warned their personal data was likely to have been stolen by hackers during a cyber attack at Capita, the outsourcer.

The M&S and Diageo pension funds were among hundreds of private-sector retirement schemes which used Capita to support their pension administration services. Capita detected a cyber incident in March and confirmed in April that it was the victim of a hack which affected some customers.

On Thursday, the M&S pension scheme said the cyber attack at Capita in March may have affected the security of personal data for a “large proportion” of scheme members including the “majority” of pensioners who had worked at the retailer.

It added that “if personal data is accessed it could be used for fraud, identity theft or to send malicious emails.”

“Capita cannot be certain that this data has been accessed, but we believe it’s appropriate to act as if this is the case and warn affected members about the potential risks,” the pension scheme said in a statement, published on its website.

According to its 2021 accounts, the M&S pension scheme had 106,000 members with around 53,000 of those pensioners. Trustees of the M&S pension plan declined to comment beyond the statement on the website.

Meanwhile, Diageo said some of its 32,000 pension members were affected by the incident. It said it was still working with Capita to establish the full impact of the hack.

Some Diageo pension scheme members are now being offered by Capita complimentary membership to a service that helps detect possible misuse of personal data.

A Diageo spokesperson said: “We have written to those members to assure them that there has been no impact to the Diageo Pension Scheme and that their benefits are safe.” The possible data breach around Diageo’s pension plan was first reported by The Scotsman.

The announcements from Capita’s private sector clients come nearly two months after the outsourcer first detected a cyber incident. The outsourcer had initially said last month that “no evidence” indicated customer data being compromised by the hack.

On Thursday, USS, the UK’s biggest private-sector pension plan, said it would offer free access to an identity protection service after their details were put at risk by the Capita hack. USS is a Capita client which last week announced that 470,000 members’ details were at risk.

“We will be writing to [the members] as soon as possible setting out how [the identity protection service] will work,” USS said in a statement.

USS declined to comment on how the ID theft protection service would be funded. But the company understood that this would not be paid from members’ funds.

Aaron Le Marquer, head of policyholder disputes department at UK law firm Stewarts, said it was highly likely that other affected pension plans or other financial institutions whose customer data was at risk of being compromised by the Capita breach would be offering similar protection to their members or customers.

They would probably “seek to recover such costs from Capita, leading to the question of whether Capita is covered for such third-party liabilities under the terms of its cyber insurance,” he warned.

USS declined to comment on whether it would retain Capita’s services.

Meanwhile, Derby City Council became the latest local authority to reveal that it had been affected by a separate data security incident in which files, including details on benefit payments, were left exposed on an unsecured Amazon Data Bucket controlled by Capita. The council said it was reviewing its arrangements with Capita.

The Information Commissioner’s Office, the data regulator, said if an identity is stolen, the victim is at risk of losing money and may find acquiring loans, credit cards or a mortgage difficult.

Capita said it was informing affected clients and that it was working closely with “specialist advisers and forensic experts to investigate the incident and we have taken extensive steps to recover and secure the data”. It previously said that “in instances where we need to provide further support to those affected, we will do so”.

This story has been amended to clarify Aaron Le Marquer’s job title.

Read the full article Here

Leave a Reply

Your email address will not be published. Required fields are marked *

DON’T MISS OUT!
Subscribe To Newsletter
Be the first to get latest updates and exclusive content straight to your email inbox.
Stay Updated
Give it a try, you can unsubscribe anytime.
close-link