It seems odd to me that regulators, police, ICO, action fraud aren’t the ones investigating what has been stolen. Writing letters to the clients of the victim of the crime asking them to work out what was stolen doesn’t feel the best way to deal with this https://t.co/HtxQIQ2n97
— alan chaplin (@achaplin71) May 4, 2023
Clients and victims
Alan Chaplin has hit the nail on the head and is – I am sure – speaking for most of us who do not know whether Capita have anything to do with our pension benefits.
The “clients” are Capita’s clients – the ultimate victims of the crime are not the clients (who are trustees and providers of contract based pensions), but people like you and me whose data has been compromised.
The only point at which a “victim” of a hack finds out about it , is when something bad happens. For instance when they find their friends befriended on Facebook by someone impersonating them or much worse when money starts disappearing from personal accounts, a “next step”.
But tracing that impersonation or burglary to the hack of your pension data is a piece of forensic research way beyond me and I suspect way beyond the trustees. It is one thing for Capita to identify who is vulnerable, another to identify a victim.
In all this, there is considerable noise but very little certainty.
In a statement to the FT, Capita said it was “working closely with specialist advisers and forensic experts” in investigating the cyber incident “to provide assurance around any potential customer, supplier or colleague data exfiltration”.
“Exfiltration” is an unusual word, meaning “the furtive escape from an area under enemy control”. So as well as unusual, it is wrong – as the data is escaping from an area under friendly control to one under enemy control. If there has been a hack, the data controller of the hacked data is not friendly. The word itself is furtive and makes things more obscure. Let’s try and avoid this jargon.
For all the furtiveness, it is a good thing that this is getting reported, if this incident hadn’t become front-page news , I suspect that the issue would have been left to smolder and whatever consequences to the victims would have remained unattributed (as they probably will be even after all this work).
We learn from the statement, that Capita’s investigation is likely to be over shortly, it has not been a long investigation as it appears to have been kicked off by press reports. In truth they don’t have much to say. And they are not saying yet saying “sorry”.
Saying sorry means admitting guilt and we are a long way from knowing who – if anyone – is guilty.
We only know we know very little
All we know is how little we know. We know that three servers were hacked, Capita know which ones and can tell those whose data was on those servers their data is hacked.
The data controllers have lost control and there are an un named number of victims or potential victims of this – whose wellbeing is at risk as a result.
The reason that this is so interesting (and the attention this incident is getting is astonishing) is it speaks to a fundamental insecurity we have, that we are not in control and know very little about what is happening to the data we entrust to others.
Crime and punishment
Inevitably – the word “liability” rears its ugly head. With both the FCA and TPR involved , as well as the ICO and we suppose the police and action fraud – crime and punishment are words in the backs of our head.
Was there proper security in place? Did an error occur? Was this an insider job? Did Capita respond properly? None of these questions are addressed in what little we are hearing.
The data controller is the trustee who outsources to Capita. As an outsourcer, Capita stands to lose reputation but it is the Trustee who is ultimately responsible for the data.
Unless a sum has been paid as a ransom by Capita, and there is no evidence this has happened, the loss to Capita is reputational and they could be litigated against by clients under the terms of contract.
As I’ve recently written, and as I observed at the PASA conference, there is a vulnerability about our industry right now that comes from our not knowing the consequences of what happens when a hack occurs.
Everyone is involved but no-one is taking charge. So, as Alan Chaplin points out, the responsibility for finding out what is happening is being passed from player to player with resulting insecurity “all round”.
Blaming someone else does not get rid of the fundamental anxiety, though it may be necessary to make it easier to live with. That isn’t really a very good way to manage the situation either.
Who really is the victim?
To determine liability, we need to apportion blame, to determine the victim is even harder.
This is because the current victims of this hack are Capita, its reputation and its insurance.
I cannot see any way that any losses to those whose data has been compromised will be able to pin it on their Trustees or Capita. Burglars are not in the habit of leaving a note explaining how they got in to your house.
The real victims may never know why they were robbed nor how. As we move towards ever greater digitalization of our finances, this state of affairs needs to be addressed.
My personal view is that we cannot turn back on this direction of travel but must make sure that we are clear and open when things go wrong. It would appear that this is a relatively minor hack. “Relative” to the kind of problem that could go wrong if a state database or a dashboard ISP was hacked.
The only way we can profit from the Capita experience is through open and honest behavior by Capita – which we seem to be eventually getting. Capita will continue to be a major player in pensions and wider administration, we need to allow them to rebuild rather than profiting from their misfortune.
And we must accept that there are no obvious answers to the difficult questions this matter throws up.
I worry that data security issues will be used to delay or dismiss digital solutions that we need to manage our pension freedoms.