Beneficiary data exposed in the Capita Data Breach
August 8, 2023
We have discovered that – as well as exposing the personal information of pension holders – the Capita data breach also affects their beneficiaries.
Capita – one of the UK’s most prominent business process outsourcing and professional services companies – has experienced two significant data protection breaches. The Capita data breaches could affect millions of UK pension holders, an undisclosed number of people on benefits, Capita employees, and others.
The first data breach relates to a ransomware cyber-attack that happened in March 2023 when criminals exfiltrated data from Capita’s servers. According to the Information Commissioner’s Office, around 90 organisations have reported data protection violations related to this incident.
Capita provides outsourced pension administration services to over 450 pension providers across the UK. Several of them have confirmed that they are affected by this breach. Personal data, including names, dates of birth and National Insurance numbers may have been accessed by hackers. Other valuable information may also have been compromised and we understand financial/bank details were also affected.
So far, we believe that over half a million UK pension holders could be at risk following this data security incident. As well as exposing the personal information of pension holders – the Capita data breach also affects their beneficiaries.
After the news of this data breach broke, NHS England also reported a data breach related to Capita. According to reports, on this occasion the security failure involved a document containing ‘limited optometry information’ for two patients, and two files containing names and NHS numbers of deceased and de-registered GP patients.
Three months after the attack took place, Capita told some of its own employees that their personal information was also accessed by the Russian cybercriminals. The compromised employee data includes dates of birth, marital status, home addresses, salary, email addresses, employment details and employment history.
The second data breach relates to the use of publicly accessible “unsafe storage” provided by Capita.
Colchester Council has shared its “extreme disappointment with Capita” after benefits data for 2019-20 and 2020-21 was found on an unsecured storage platform. This data security incident is believed to affect several other local authorities including councils in Coventry, Derby, Adur and Worthing, Rochford, and South Staffordshire.
The platform, which contained more than half a terabyte of data, was exposed online and unprotected by a password as far back as 2016. Capita claims that that no personal bank account details have been compromised in this incident.
At Keller Postman UK, our cyber experts are investigating the breaches to find out what happened and who is affected. If you receive notification that you are affected by a Capita data breach, register below to join our group action and receive updates on our investigation. We’ll let you know what’s happening, and if you can make a no-win, no-fee data breach compensation claim.
We now represent clients across 23 separate pension schemes, with more joining our action daily. In addition, two leading Unions have appointed Keller Postman UK to provide legal assistance to their members.
We don’t yet know the full extent of the Capita data breaches. However, the following pension plans and local authorities may have had data stolen:
The USS is the biggest private sector pension plan in the UK. Around 470,000 members may have had their detail stolen in the Capita cyber-attack.
The drinks maker has said that around 32,000 pension members have been affected by the incident.
Capita has confirmed that some Unilever member data may have been accessed by the unauthorised third party.
In 2021 the scheme had 106,000 members with about 53,000 of those pensioners.
Around 50,000 individuals are thought to be affected.
A letter from the trustees of the PwC pension scheme confirms that member data has been exfiltrated.
Following a detailed investigation, Capita notified the Trustee that, personal details of approximately 8,000 pensioner members with SIPS benefits were included in copies of the data that were taken by the cyber attackers.
Capita has told some of its employees that their personal data, including names, addresses and national insurance numbers, were stolen in the data hack.
Colchester Council has also shared its “extreme disappointment with Capita” after benefits data for 2019-20 and 2020-21 was found on an unsecured storage platform. This is believed to be a separate data security incident.
Capita informed NHS England that a document containing limited optometry information for two patients was accessed. Two files containing names and NHS numbers of deceased and de-registered patients were accessed.
It is vital that victims of these breaches do not experience further attacks. Affected pension holders, Capital employees, and anyone else involved in the data hack should be vigilant. At Keller Postman UK, we have seen victims of similar data breaches become the target of cybercriminals, with instances of phishing, fraud, and identity theft.
While no criminals were involved in the Capita data storage breach, vigilance is also recommended as this data has been publicly accessible online for years.
Some individuals have been offered credit monitoring (e.g., via Experian) following the breaches. We strongly recommend that this is accepted as it will help to detect any fraudulent attempts to use the compromised personal data.
While Capita was hacked in the first data breach, pension schemes are responsible for the security of member data. The Pensions Regulator confirmed this in a statement to trustees of affected pensions. Following the breach, both the Pension Regulator and the ICO will likely want to know more about the affected pensions’ security measures, and their relationship with Capita in regards to data protection.
If you receive notification that you are affected by a Capita data breach – either as a pension holder or a nominated beneficiary – you can register to join our group action.
In the second breach, the unsecured storage platform was controlled by Capita. But here again, the local authorities involved are responsible for looking after the benefit data of the people they serve.
We have discovered that – as well as exposing the personal information of pension holders – the Capita data breach also affects their beneficiaries.
We now represent clients across 23 separate pension schemes, with more joining our action daily. In addition, two leading Unions have appointed Keller Postman UK to provide legal assistance to their members.
Capita has now informed some of its employees that their personal data was also accessed by the criminals, believed to be part of Russian-based ransomware group Black Basta.
Pension holders are worried that the data stolen in the Capita hack could include their bank account details. Certainly, this has not yet been ruled out.
In March 2023, Capita experienced a cyber-attack. The incident left staff unable to access services and local authority and business services were disrupted. While Capita initially insisted that hackers had simply managed to disrupt the businesses’ internal systems, it is now accepted that the incident was a ransomware attack leading to a potential data breach.
Our investigators believe that the Russian-based ransomware group Black Basta was likely responsible. The criminals claimed they had the Capita data in a now-deleted online post. Capita has declined to comment on whether it paid the ransom.
The second data breach relates to the use of publicly accessible “unsafe storage” provided by Capita. The platform, which contained more than half a terabyte of data, was exposed online and unprotected by a password as far back as 2016.
Between the two breaches the list of potentially compromised data includes customer:
According to reports 1, the data might include other valuable information – possibly including sensitive and special category data.
We understand financial/bank details were also included.
The compromised employee data includes dates of birth, marital status, home addresses, salary, email addresses, employment details and employment history.
On March 31 2023, Capita said:
“Following a technical problem which has affected access to some of our services today, we can confirm that we have identified an IT issue that is primarily impacting our internal systems. We are working to swiftly restore those services that have been affected and will issue a further update in due course.”
On 20 April 2023, Capita provided more information when it posted the following statement on its website:
“On 3 April 2023, Capita plc (“Capita”) announced that it had experienced a cyber incident which primarily impacted access to internal Microsoft Office 365 applications.
“Since the incident, Capita and its technical partners have restored Capita colleagues’ access to Microsoft Office 365. The majority of Capita’s client services were not impacted by the incident and remained in operation, and Capita has now restored virtually all client services that were impacted.
“In parallel with the services restoration activity, Capita has continued to work closely and at speed with specialist advisers and forensic experts in investigating the incident to provide assurance around any potential customer, supplier or colleague data exfiltration.
“From our investigations to date, it appears that the incident arose following initial unauthorised access on or around 22 March and was interrupted by Capita on 31 March. As a result of the interruption, the incident was significantly restricted, potentially affecting around 4% of Capita’s server estate. There is currently some evidence of limited data exfiltration from the small proportion of affected server estate which might include customer, supplier or colleague data.
“Capita continues to work through its forensic investigations and will inform any customers, suppliers or colleagues that are impacted in a timely manner.
“Capita continues to comply with all relevant regulatory obligations.”
Affected organisations should be in touch to notify affected individuals.
Anyone who thinks they might be involved should take immediate steps to protect themselves. Find out how to do this here.
If you receive notification that you are affected by either Capita data breach, register below to receive updates on our investigation. We’ll let you know what’s happening, and if and when you can make a no-win, no-fee data breach compensation claim.
A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known as class actions, multi-claimant, or multi-party actions.
There are no costs to join our claim. However, if your claim is successful, you may have to pay a ‘success fee’. This fee is taken from the compensation awarded to you. At Keller Postman UK, our success fee is competitive, and we make sure you are fully informed about any potential costs before you officially join our action. If you lose, you won’t have to pay a penny.
Find out more about making a group action claim for compensation.
What does no-win, no-fee actually mean and are there really no costs if you appoint us?
We are one of the most experienced multi-claimant law firms in the UK.
Our GDPR, data breach and cybercrime specialists have a combined experience of over 50 years.
We represent clients in group actions with innovation, resources, and expertise.
We work with expert barristers to ensure you get the very best level of legal support available.
We have all the resources and global expertise necessary to take on complicated cases and win.
We have offices in Chancery Lane London, Birmingham and Liverpool, and the technology to provide a nationwide service, so we can help clients across England & Wales.
We use technology to deliver a better legal experience to our clients.
We work on a no-win, no-fee basis.
We make the process straightforward and hassle-free.
While each case is judged on its own merits, there are some things we would typically look for when it comes to when claiming compensation following a data breach, cybercrime or other GDPR violation:
With stolen data, cybercriminals can make purchases using your bank and credit cards, apply for credit in your name, set up fraudulent bank accounts and access your existing online accounts.
GDPR failures, cybercrime and data breaches can have a significant impact on you, both mentally and physically. They can cause or exacerbate anxiety, stress and other psychological conditions.
Keller Postman UK has some of the most skilled data breach lawyers in England and Wales. Here are just some of our success stories.
Keller Postman UK is a founding member of the Collective Redress Lawyers Association (CORLA). CORLA aims to improve access to justice for claimants by way of collective redress.