Pension fund warns 470,000 members may have been compromised by Capita hackers

Pension fund warns 470,000 members may have been compromised by Capita hackers

Image:
Pension fund warns 470,000 members may have been compromised by Capita hackers

USS, the UK's largest pension fund, relies on Capita's technology to facilitate its internal pension administration procedures

The Universities Superannuation Scheme (USS), the largest pension fund in Britain, has disclosed that data pertaining to 470,000 of its members may have been stolen following a recent cyberattack on Capita.

With assets valued at £82 billion, USS is the primary pension scheme for universities and higher education institutions in the country. USS relies on Capita's technology platform, known as Hartlink, to facilitate its internal pension administration procedures.

Last month, Capita officially confirmed that it experienced a cyberattack towards the end of March.

In a statement released last week, USS assured that the member data stored on Hartlink remained uncompromised.

However, it said that Capita has notified USS that certain details, such as names, dates of birth, and national insurance numbers of approximately 470,000 members, dating back to early 2021, were present on the servers accessed by the hackers.

While Capita was unable to definitively confirm whether the hackers accessed or copied the mentioned data, they have advised the pension group to proceed under the assumption that members' data had been compromised.

"We are awaiting receipt of the specific data from Capita, which we will in turn need to check and process," USS said.

"We will be writing to each of the members affected by this - and, where applicable, their employers - as soon as possible to make them aware, to apologise for any distress or inconvenience caused, and to provide ongoing support and advice."

Last month, Capita said that cybercriminals had successfully infiltrated their systems and managed to remain undetected for nearly 10 days before the breach was eventually discovered.

The breach came to light after an IT failure occurred, preventing staff from accessing crucial systems, leading to service disruptions for local authorities and certain businesses.

At first, Capita had claimed that no customer data had been compromised in the cyberattack. However, a week later, the company provided an update acknowledging the possibility of certain information being stolen during the incident.

Capita holds a significant position as one of the major software and IT services providers for the UK government.

Additionally, it is responsible for collecting the BBC licence fee and overseeing training for the Royal Navy.

Capita's systems play a crucial role in managing pensions for around 450 organisations, including Royal Mail and Axa, serving a vast number of policyholders.

Following the cyberattack on Capita, the Financial Conduct Authority (FCA) has proactively contacted multiple businesses that utilize Capita for administrative services. This outreach is part of the FCA's efforts to ensure that the businesses are aware of the situation and can take necessary precautions regarding the potential impact on their operations.

In a recent update to investors, Capita cautioned that it could incur expenses of up to £20 million due to the cyberattack.

These expenses include engaging specialist professionals, undertaking recovery and remediation measures, and making investments to bolster Capita's cybersecurity infrastructure.

According to the company's investigations, less than 0.1%, of its server estate was affected, but some data was accessed during the incident.

Experts have warned that the theft of personal data by hackers can expose individuals to social engineering attacks, in which the perpetrators impersonate victims to illicitly obtain money, information, or unauthorised access to networks.

In response, USS is providing guidance to its members, advising them to exercise extreme caution and only disclose personal information when they are entirely certain about the identity of the party they are communicating with.

USS says it has reported the incident to the Information Commissioner's Office (ICO), the Pensions Regulator and the FCA.

"We are confident members' pensions remain secure. We have reviewed our own systems and controls to ensure they remain robust," it added.