Capita and their clients – there but for the grace of God…

Posted on May 2, 2023 by henry tapper

Spare a thought for Capita staff , spending much of the weekend working out what has been hacked from the three servers reportedly impacted.

If you are a data controller, you probably depend on organisations such as Capita to manage the data effectively and keep it safe, but are we confident that were we the victims of a Russian cyber-attack, we would have a plan in place, much better than Capita’s Plan A.

We have our trust in Amazon Web Services, we have a Plan A and we have insurance, we were instructed by a NED one of whose businesses was hacked, we have taken what precautions we could but I remain nervous – who wouldn’t be? How would I react if the unthinkable happened?

Most of us, I suspect, would instinctively want to pull down the shutters and minimise disruption and reputational damage to the business. That’s what Capita did , until the Pension Regulator wrote to 300 trustees responsible for pension funds that use Capita asking them to  investigate whether the personal details of millions of people had fallen into the hands of foreign cybercriminals.

A problem shared is a problem halved – unless you have no data. Most trustees must have read that letter thinking this problem hadn’t halved but doubled. Capita and the trustees are very much in this together.

It is Capita that has to identify which members have had their data compromised and it’s up to the trustees to break the bad news. All that trustees can do right now is thank the grace of God that they have Capita to support them .

Ultimately, the decision to employ Capita, or any other third party administrator, is taken by trustees, they have that reckoning to follow. So have Capita

The Trustee plan A required perfect knowledge from March, clearly plan A did not work

Each now has to develop their own  Plan B as they respond to the very specific request from TPR

“As a data controller you need to gain assurance that your data processed by Capita is secure and take action as necessary to protect your members … Please tell us what steps you have taken to meet your obligations as a data controller.”

If you are a trustee reading this that didn’t get such a letter, then give double thanks for the grace of God as you can now prepare yourself to ensure that if your data  is compromised, either directly or through a third party, you have a Plan A in place that learns from what Capita and their impacted clients, are going through now.

There is a common enemy in this and this may be a case where the best means of self-defence is adopt a common approach. What is obvious from the failure of Capita’s Plan A is that saying nothing , when hacked, simply kicks the problem down the road.

These hacks occurred in the middle of March ,we are now in May, if you are a data controller, make sure that months don’t go by before you know what has happened.

Use your time before your hack wisely to have a plan A that works.Then pray for the Grace of God to grant plan A will never be actioned.

About henry tapper

Founder of the Pension PlayPen,, partner of Stella, father of Olly . I am the Pension Plowman
This entry was posted in pensions and tagged , , , , . Bookmark the permalink.

Leave a Reply