The Pensions Regulator has asked hundreds of pension funds to investigate whether the personal details of millions of people have fallen into the hands of foreign cybercriminals following a hack at Capita, the UK’s largest outsourcer.
The watchdog has written to trustees responsible for pension funds that use Capita to administer their schemes after the company’s IT systems were compromised by a Russian hacking group, which leaked the data of some Capita clients.
Last month, a group called Black Basta hacked into Capita’s systems. Despite initially claiming that there had been no data breach, The Sunday Times revealed that passport pictures, bank account details and phone numbers of purported Capita clients had been uploaded onto the dark web.
Capita holds contracts with the London boroughs of Barnet, and Barking and Dagenham, and with South Oxfordshire council, whose phone lines for benefits, council tax and business rates call centres were disrupted by the attack.
Capita’s systems administer the pensions of about 4.5 million people on behalf of 450 organisations, including AXA, Royal Mail , USS and PwC’s. Its software helps deduct pension contributions from company payrolls and move them to pension pots.
If pension scheme members’ details were to fall into the wrong hands, the fear is that they could fall victim to scammers or sales calls from unscrupulous investment firms.
These are some reasonable questions readers might be asking themselves.
Am I affected – is my data currently being sold on the dark web?
What is this to do with my pension trustees – are they responsible??
This happened in March, why is it now – in May – that the Pension Regulator is doing something about it?
What hasis Capita doing to help me?
Capita’s explanation to me
Capita were exhibiting at Pension Age’s Conference last week and I wandered to their stand after witnessing a talk by Saskia Drake and Freddie Witzmann, on how to prepare for a cyber-attack. Here’s the summary from Mercer/Marsh
Over the last 5 years, we have seen cyber-attacks increase in complexity and frequency at a frightening pace. The risk they pose to organisations worldwide is far reaching and impossible to ignore.
To try and quantify it for you: it has become more profitable to deploy ransomware than traffic cocaine. Because of this, huge cyber-criminal groups like Conti have been set up and are pouring vast quantities of money into developing new tools and techniques to breach our defences.
It really is a question of ‘when’ not ‘if’ now and we need to be prepared. In the session we provided a summary of how you, as a pension fund, might be impacted by a cyber-crisis event and will cover the risk you have, the responsibility you hold and the things you should consider.
I put it to Capita that they should have been inside the hall , not sitting on a stand outside.
“Nothing to see here” was the Capita position with the prepared line “don’t judge us for having a breach but for how we’re dealing with it”. This casual attitude suggests that even last week Capita hoped this problem had gone away.
Capita’s public statements
Capita in late March first disclosed an “IT issue” that left staff unable to access some systems and disrupted services provided to local authority clients. The outsourcer confirmed on April 20 that there had been a data breach and that hackers may have accessed customer and internal data.
It said the incident affected about 4 per cent of its servers, and that it had found “some evidence of limited data exfiltration”. It added that hackers accessed its servers on or around March 22, and it had managed to interrupt the operation on March 31 and had “significantly restricted” the incident.
The company has refused to confirm or deny whether the data breach formed part of a ransomware attack. “Since March 31st we have been in regular contact with trustees and regulators, and we will keep them updated as our investigation into the cyber incident progresses,”
Hoping it will go away
The roaring silence on the breach has not worked, the Times has published four articles since April 16th , the Telegraph is now in on the act
— Stephanie Hawthorne (@HawthorneSJJ) April 30, 2023
and the FT’s top newhound is on the case
Capita hack prompts watchdog to warn pension funds over data https://t.co/6aH93E1WOm
— Josephine Cumbo (@JosephineCumbo) April 30, 2023
Whatever damage limitation plan, Capita has had in place, it doesn’t look like it’s working.
You can’t search the dark web
The problem for the members whose data may have been compromised is that you can’t search the dark web for what is known about you. If your details are for sale, then there is little you , your trustees or Capita can do about it. USS has told the FT that there for the 465,000 members whose details are stored on Capita systems, there is no evidence of anything wrong. The FT repot
“We are currently not aware of any impact on USS data,” said a USS spokesperson, adding that the scheme was liaising closely with Capita.
What is Plan B?
Plan A, the say as little as possible and hope this will go away, has failed. TPR has written to 300 clients, the press is on the case and because of the nature of the hack, it is hard for Capita to prove no harm has been done.
Scammers are unlikely to advertise the source of the information they have on you, so if you are impacted, you will have no way of knowing if it was down to Capita or another source.
So accountability for what has or hasn’t happened will be hard to prove. However, reputational damage, which is based on a much lower burden of proof is likely to be much higher. Capita are supposed to be at the forefront of protecting us from data hacks and this is not a good look.
Plan B has yet to be rolled out, but for Capita’s reputation and those directly impacted by the hack, it had better be a good one.