UK pension funds warned to check on clients’ data after Capita breach

Hundreds of pension funds in the United Kingdom have been told to check whether their clients’ data had been stolen as a result of the Capita hack in March.

Capita, the country’s largest outsourcing company, holds contracts to administer the payment systems for pension funds used by more than 4 million individuals in Britain.

The company confirmed two weeks ago that it was investigating the publication of data apparently stolen by a ransomware group, following the Black Basta gang publishing sensitive data referencing home addresses and passport images.

The Pensions Regulator has written to hundreds of pension funds, as first reported by the Sunday Times, urging the trustees of these pensions to contact Capita to learn if their data had been affected.

In Capita’s initial statement in April to the Regulatory News Service — the formal mechanism for publicly listed companies in the U.K. to communicate to the market — it said there was “no evidence of customer, supplier or colleague data having been compromised.”

The company subsequently clarified that such evidence may emerge as the company continues to analyze the incident: “Our investigations have not yet been able to confirm any evidence of customer, supplier or colleague data having been compromised.”

It later announced: “There is currently some evidence of limited data exfiltration from the small proportion of affected server estate which might include customer, supplier or colleague data.”

The full extent of the data breach is not yet clear. A spokesperson for Capita said: “Since March 31, we have been in regular contact with trustees and regulators, and we will keep them updated as our investigation into the cyber incident progresses.”

Capita’s clients include Sheffield City Council, which in a statement to The Record confirmed that it was “advising and supporting some schools who have been affected by the publishing of leaked information as per the latest update from Capita.”

A spokesperson for The Pensions Regulator told The Record: "We take IT security and the risk of cyber attacks extremely seriously."

They confirmed the regulator has “trustees of schemes which employ Capita as their administrator to speak with the company to understand more about the situation and to help determine whether there is a risk to their scheme’s data.”

The letter stressed: “If a trustee establishes that their scheme has suffered a data loss, they have a duty to notify TPR, other authorities and impacted individuals.”

In Capita’s full year results published earlier this year, the company reported £2.8 billion ($3.45 billion) in total revenue. Its public service division brought in £1.4 billion ($1.7 billion) of that.

Capita’s numerous contracts within the British public sector include several with the Ministry of Defence. Last year, a consortium it leads took control over engineering and maintenance support of training simulators for the Royal Navy’s nuclear-powered ballistic missile submarines used as part of the U.K.’s nuclear deterrent.

It is not known to what extent, if any, the criminals have compromised sensitive information relating to these contracts.

Update (5/1/2023): This story has been updated to include comments from a spokesperson for Capita.