Capita, one of the UK’s largest outsourcers, has written to pension clients confirming that some data it processed was likely to have been hacked during a recent cyber attack.
Last month, Capita disclosed a cyber attack in March had potentially affected about 4 per cent of its servers with “some evidence of limited data exfiltration” affecting customer, supplier or colleague data.
Regulators have since urged clients of Capita, including hundreds of pension funds, big insurers and public sector departments, to check whether their member and consumer data had been compromised in the hack.
In correspondence sent to trustees on Thursday, the contents of which have been seen by the Financial Times, Capita said a large team of staff had searched the servers that had been affected by the attack to understand what data might have been lost.
The outsourcer said it has “identified from those investigations” that some pensions data that Capita processes on behalf of its clients “is likely to have been exfiltrated”.
“To be clear, this does not necessarily mean that your data has been identified as exfiltrated, it means that your data was on [Capita] servers from which some data is likely to have been exfiltrated,” it said in the message.
Capita told trustees it expected the investigations to be finalised “by the end of next week or shortly thereafter”. It added that there was “no evidence” that Capita pensions data was available on the dark web and that it had a third-party specialist checking on a regular basis. It had rebuilt its server infrastructure to reduce the risk of a similar incident reoccurring, according to the message.
Capita is a large outsourcer to the private and public sectors and is one of the UK government’s biggest contractors. Its services include running the London congestion charging zone, collecting the BBC licence fee and overseeing training for the Royal Navy.
In a statement to the FT, Capita said it was “working closely with specialist advisers and forensic experts” in investigating the cyber incident “to provide assurance around any potential customer, supplier or colleague data exfiltration”.
“Capita continues to work through its forensic investigations and inform any customers, suppliers or colleagues that are impacted in a timely manner,” it added.
The correspondence came to light as some pension clients of Capita reported they were “struggling” to get information from the outsourcer about the incident more than five weeks after it was detected.
One legal expert who works for a Capita pension client told the FT: “Trustees and managers are struggling to get data specific to their scheme’s situation. They are concerned to find out whether their schemes have been affected by the data breach.”
The Pensions Regulator said it was “engaging directly” with Capita regarding its communication with pension scheme clients.
“We are continuing to closely monitor the incident at Capita,” TPR said. “This is an ongoing situation with more detail emerging daily. We are in contact with trustees, other regulators and Capita.”
The regulator added “we are speaking to Capita about what they are able to share with trustees”.
TPR and the Financial Conduct Authority have written to clients of Capita, urging them to check if they had been affected by the Capita cyber attack, and report this to the Information Commissioner’s Office, if relevant. Earlier this week, the FCA also said it had “continued to engage” with Capita to understand the extent of the breach.
Organisations are required to notify the ICO, which regulates data protection, of a personal data breach within 72 hours of becoming aware of an incident, and also contact affected individuals.
The ICO confirmed to the FT it had received reports of data breaches likely linked to a cyber attack at Capita. In its first confirmation of data breach reports from the outsourcer’s clients, the regulator said: “We have received other breach reports believed to be in connection with the Capita incident.”