Capita tells pension provider to 'assume' nearly 500,000 customers' data stolen

Capita logo appearing on a smartphone that's being held out in the fingertips of two hands, the arms of which are visible, appearing form each side of the frame, all silhouetted
(Image credit: Getty Images)

UK pension fund USS has confirmed that nearly half a million customers may have been impacted by the recent Capita data breach. 

In a statement today, USS revealed it was told on Thursday that member data held on Capita servers was accessed by threat actors during a security incident last month. 

USS said that exposed information could include names, dates of birth, USS member numbers, and national insurance numbers. 

The data potentially accessed by hackers dates back to early 2021, and covers “around 470,000 active, deferred, and retired members”. 

According to USS, Capita said it cannot “currently confirm” if this data was exfiltrated by threat actors, but recommended the pension provider to “work on the assumption that it was”. 

“We are awaiting receipt of the specific data from Capita, which we will, in turn, need to check and process,” the company said in a statement. 

“We will be writing to each of the members affected by this – and, where applicable, their employers – as soon as possible to make them aware, to apologize for any distress or inconvenience caused, and to provide ongoing support and advice.”

RELATED RESOURCE

Whtiepaper cover with green title over image of female wearing glasses smiling at camera

(Image credit: ServiceNow)

Nine steps to proactively manage data privacy and protection

Build trust with your employees, customers, and third parties

DOWNLOAD FOR FREE

The USS statement may raise concerns among other clients at the embattled IT outsourcing firm, which was rocked by a security incident last month. 

Initially, Capita said there was “no evidence” that customer data had been compromised. 

However, it later issued a follow-up confirmation stating that there was “some evidence of limited data exfiltration” and that this “might include” customer, supplier, or colleague data.

Earlier this week, Capita revealed that the security incident could cost upwards of $25 million due to recovery and remediation costs and third-party consultancy fees. 

Immanuel Chavoya, senior manager of product security at SonicWall told ITPro that the latest update highlights the potential long-term impact that this breach could have on Capita partner organizations. 

The outsourcing giant provides services for both public and private sector clients, including the UK Ministry of Defence. 

“Cyber attacks such as the one on Capita require a bit of long-tail analysis to capture a clear understanding of impact, but what is known is that the ripple effect of a cyber attack like the one on Capita can be far-reaching, extending beyond the organization itself to shake customer trust, disrupt essential services, and reverberate throughout communities”.

USS has urged members to remain vigilant for potential scams in the wake of the discovery, warning that they could be subject to heightened threats such as phishing

“We would encourage members to only ever give out personal information if they are absolutely sure they know who they are communicating with,” the company said. 

“We are sorry that member data has been accessed in this way. We are proactively engaging with Capita in respect of their ongoing investigations and are considering the next steps available to us. We also continue to engage with them about the ongoing support they will be providing to those affected.”

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.