Pension funds now warning hundreds of thousands of members over potential loss of personal data from Capita breach earlier this year
Capita was hit by a cyber attack in March and it later emerged the company had left a cache of data unsecured online.
“We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making enquiries,” the ICO said.
Hundreds of thousands of people are being notified that their personal data was affected by the March hack, while Capita says it has secured the exposed online data.
Companies who may have been affected by the Capita incidents must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.
This being the case, the ICO is urging organisations that use Capita to determine whether the personal data they hold has been affected and consider reporting a breach.
If they decide not to report an incident they should keep their own record of it and be prepared to explain why it wasn’t reported if necessary, the ICO said.
Capita has not disclosed details of the March breach, but industry experts have speculated it was a ransomware attack.
The company initially said it did not believe the incident had put personal data at risk, but has since warned that data was probably stolen from a number of large pension schemes it administers.
The pension schemes of Marks and Spencer, Diageo, Unilever and Rothesay are amongst those affected, Capita has said.
The main UK pension fund for universities, the Universities Superannuation Scheme (USS), is also in the process of notifying all of its 500,000 members that their data is at risk.
USS said that “details of USS members were held on the Capita servers accessed by the hackers” and that the attackers potentially accessed members’ name, date of birth, National Insurance number, USS member number and retirement dates.
The details, which date from early 2021, cover about 470,000 active, deferred and retired members, USS said.
“While Capita cannot currently confirm if this data was definitively ‘exfiltrated’ (i.e., accessed and/or copied) by the hackers, they recommend we work on the assumption it was,” USS said in a statement.
Capita said he has “worked quickly to provide our clients with information, reassurance and support, while delivering for them as a business” and will continue to provide further support to those affected as needed.
It said the data exposed in the second incident “was secure and no longer accessible and our investigations into this matter are ongoing”.