Three of Capita’s servers were hacked in March of this year. The Sunday Times put the hack on its front page in April and since then Capita has been reporting on its cyber incident. You can read the details on the blogs at the bottom of this page.
Capita until recently thought that only a small amount of data had been compromised but this turns out to have been wistful thinking. Yesterday the dam burst.
USS uses Capita’s technology platform (Hartlink) to support its in-house pension administration processes. It says it has been liaising closely with CApita over the course of its forensic investigations.
While it has been confirmed that USS member data held on Hartlink has not been compromised, USS was informed on Thursday 11 May that details of USS members were held on the Capita servers accessed by the hackers. The information potentially accessed includes:
- Their title, initial(s), and name; their date of birth; their National Insurance number; their USS member number.
The details, dating from early 2021, cover around 470,000 active, deferred and retired members.
While Capita cannot currently confirm if this data was definitively “exfiltrated” (i.e., accessed and/or copied) by the hackers, they recommend USS members work on the assumption it was.
USS are telling their members that they are awaiting receipt of the specific data from Capita, which they will in turn need to check and process. USS uses Capita systems but not Capita’s administration.
USS will be writing to each of the members affected by this – and, where applicable, their employers – as soon as possible to make them aware, to apologise for any distress or inconvenience caused, and to provide ongoing support and advice.
Other Capita clients are not so patient. Colchester appears to have had a similar problem.
Colchester Council’s chief operating officer Richard Block told the Colchester Gazette and Standard
“The council is extremely disappointed that such a serious and widespread data breach has occurred and is robustly addressing the matter with Capita.
“I want to reassure all residents that we are taking steps with Capita to fully understand how they have caused this data breach as well as any further action required.
To be fair to USS
From the sideline, it does appear that USS are doing rather better than Capita in keeping “stakeholders” involved.
USS has information on its website providing tips on how to spot scams, and a set of Q&As is available here to address any immediate questions.
Members can also email firstname.lastname@example.org if they have any further queries not covered on www.uss.co.uk.
USS is encouraging members to only ever give out personal information if they are absolutely sure they know who they are communicating with. It is advising members
If you receive a suspicious email, you should forward it to email@example.com. For text messages and telephone calls, forward the information to 7726 (free of charge). For items via post, contact the business concerned.
If there are any changes to your National Insurance information, HM Revenue & Customs would contact you – but you can also phone them on 0300 200 3500.
If you are concerned someone might be impersonating USS, please let us know by emailing firstname.lastname@example.org.
The National Cyber Security Centre and the Information Commissioner’s Office (ICO) both provide guidance that may also be useful.
USS has reported this incident to the ICO and will work with them on any investigation they choose to conduct and any recommendations they might subsequently make to USS. USS has also informed the Pensions Regulator and the Financial Conduct Authority.
It says it is confident members’ pensions remain secure. USS has reviewed their own systems and controls to ensure they remain robust. My USS login information has not been compromised.
View of an outsider
This is more than an embarrassment . The data was hacked over 6 weeks ago and it is only now that the USS trustees and executive have been made aware. I have spoken with USS on this and have been told that to date no member has reported any impact from their data being compromised.
But the fact remains that nearly half a million current, retired and former academics are at risk from their data being traded on the dark web.
Alan Chaplin, my senior correspondent on these matters, has this to say
And the Pensions Regulator is clearly anticipating more trustees with problems
“Be prepared” to answer member queries.
UK pensions regulator message to trustees of #pension schemes impacted by major cyber attack on Capita, an outsourced admin service provider. pic.twitter.com/688iuIEAmx
— Josephine Cumbo (@JosephineCumbo) May 12, 2023