100,000 M&S and Diageo pension members may have been breached in Capita attack

100,000 M&S and Diagio pension members may have had data stolen in Capita attack. Source: Wikimedia

Image:

100,000 M&S and Diagio pension members may have had data stolen in Capita attack. Source: Wikimedia

News follows statement by USS last week that 470,000 members could have been affected

More than 100,000 members of the pension schemes run by retailer Marks and Spencer and drinks giant Diageo are among those potentially stolen by hackers when they breached service provider Capita.

Last month, Capita officially confirmed that it experienced a cyberattack towards the end of March. The company acknowledged that cybercriminals had gained access to its systems and remained undetected for nearly 10 days before the breach was finally discovered.

A Russian group called Black Basta claimed responsibility for the attack.

Initially, Capita asserted that no customer data had been compromised. Later, while it said it was unable to definitively confirm whether the hackers accessed or copied data, it advised affected pension groups to proceed under the assumption that members' data had been compromised.

Last week, USS, the UK's largest pension fund which relies on Capita's technology to facilitate its internal pension administration procedures, said the outsourcer had advised it that personal data from its 470,000 members may have been stolen.

This week, Diageo sent a letter to some pension holders warning them that personal data including national insurance number, home address and date of birth could have been exfiltrated by the hackers. The company has more than 30,000 members on its private pension scheme.

As reported by The Scotsman, a letter sent to one pension holder said: "During the course of April Capita informed us that they had taken steps to isolate and contain the incident whilst they continued to investigate it. However, on 3 May Capita told us that it is likely a file containing your data had been compromised."

The company offered free 12-month membership to an Experian scheme to help the likely victim manage misuse of their personal data.

Marks and Spencer said a large proportion of its members could have had their personal data stolen. In 2021, the pension scheme had 106,000 members.

"Following a detailed investigation, Capita has also confirmed that unfortunately the incident may have affected the security of personal data for a large proportion of our Scheme's members," M&S said in an online post. "This includes the majority of the Scheme's pensioner members and a very small group of deferred members."

The retailer said it was writing individually to all members affected.

Capita, which has a workforce of over 50,000 employees in the UK, is a major supplier of UK government and corporate services. The company said in a statement it was working with "specialist advisers and forensic experts to investigate the incident," and had "taken extensive steps to recover and secure the data."

Last week, Capita warned investors that it could face a financial setback of up to £20 million as a result of the cyberattack.