Updated: UK pension schemes reveal impact of cyber breach

The Information Commissioner's Office (ICO) has confirmed that it has received a "large number" of reports from organisations directly affected by the recent Capita cyber incidents, revealing that it is "currently making enquiries".

Capita previously announced in April that it had experienced a cyber incident and that there was evidence of “limited data exfiltration from the small proportion of affected service estate which might include some customer, supplier or colleague data”.

In a statement, the ICO confirmed that it is aware of two incidents concerning Capita, regarding a cyber-attack in March and the use of publicly accessible storage.

An ICO spokesperson said: "We are encouraging organisations that use Capita’s services to check their own position regarding these incidents and determine if the personal data they hold has been affected.

"If necessary, consider reporting a data breach to the ICO and we will use this information to inform our next steps.

"Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.

"If an organisation decides that a breach doesn’t need to be reported, they should keep their own record of it and be able to explain why it wasn’t reported if necessary."

Following Capita's investigations, a number of UK pension schemes also wrote to members to confirm that their personal details may have been affected by the recent incident, with The Pensions Regulator encouraging impacted trustees to proactively warn members about the potential for pension scams.

In particular, the Universities Superannuation Scheme (USS) revealed that the personal details of around 470,000 active, deferred and retired members may have been accessed during the recent Capita cyber incident, while the M&S Pension Scheme trustee said the security of personal data for a "large proportion" of its members may have been affected.

Following on from this, Rothesay has confirmed that the incident also affected the personal data of around 50,000 individuals who were former members and dependants of Telent’s GEC 1972 Plan and joined Rothesay in 2019.

The insurer emphasised that it is only these individuals who joined Rothesay in 2019 from Telent’s GEC 1972 Plan who are affected, with Capita having confirmed they are the only Rothesay policyholders impacted by its cyber incident.

All impacted individuals are being contacted by post by Rothesay to reassure them that their pension policies are unaffected and to provide further details and guidance on what steps they should take to protect their data.

In line with support offered by the USS trustee, Rothesay also confirmed that individuals who have been affected are being offered a specialist fraud monitoring service provided by Experian as a precaution, with membership to be paid in full at no cost to those impacted.

"Rothesay has been working very closely with Capita to understand how its cyber incident occurred and to put things right. Rothesay’s own systems were not impacted at all by the incident," the insurer stated.

"Protecting the data of the over 825,000 pensions we secure is a responsibility we take incredibly seriously. On behalf of Capita and Rothesay, we would like to offer our deepest apologies for any concern that this incident may have caused."

Unilever has also since confirmed that some of its member data may have been accessed by an unauthorised third party as part of the recent Capita cyber incident, with the trustee now contacting those members affected to make them aware.

Although the Unilever Pension Scheme emphasised that members' pension benefits are safe and unaffected by this incident, it also reminded members of the need to stay vigilant against unusual online activity or information requests.

Colchester City Council also said that it is taking “swift and decisive action” in response to the Capita cyber incident, revealing that the data breach has affected several other local authorities around the country, relating to historic data – the full extent of which is being investigated.

Colchester City Council chief operating officer, Richard Block, stated: “The council is extremely disappointed that such a serious and widespread data breach has occurred and is robustly addressing the matter with Capita.

"I want to reassure all residents that we are taking steps with Capita to fully understand how they have caused this data breach as well as any further action required.

“We understand that this issue will cause concern among residents and apologise to those affected on behalf of Capita.

"Our top priority is to safeguard the privacy and security of our residents' personal information, and we are taking swift and decisive action to investigate the situation and ensure Capita's processes are improved to avoid any future breaches.”

Commenting in relation to the cyber incident and affected clients, a Capita spokesperson said: “Capita continues to work closely with specialist advisers and forensic experts to investigate the incident and we have taken extensive steps to recover and secure the data.

“In line with our previous announcement, we are now informing those we have identified to be affected. We have worked quickly to provide our clients with information, reassurance and support, while delivering for them as a business. In instances where we need to provide further support to those affected, we will do so.”

    Share Story:

Recent Stories


A time for fixed income
Francesca Fabrizi discusses fixed income trends and opportunities with Goldman Sachs Asset Management Head of UK Pensions Solutions, Fixed Income Portfolio Management, Henry Hughes, in our Pensions Age video interview

Purposeful run-on
Laura Blows discusses purposeful run-on for DB schemes with Isio director, actuarial and consulting, Matt Brown, in Pensions Age’s latest video interview
Find out more about Purposeful Run On

Keeping on track
In the latest Pensions Age podcast, Sophie Smith talks to Pensions Dashboards Programme (PDP) principal, Chris Curry, about the latest pensions dashboards developments, and the work still needed to stay on track
Building investments in a DC world
In the latest Pensions Age podcast, Sophie Smith talks to USS Investment Management’s head of investment product management, Naomi Clark, about the USS’ DC investments and its journey into private markets

Advertisement