Capita is one of the UK’s largest business processes outsourcing and professional services companies. It is a major contractor for the UK government, local authorities and many huge organisations throughout the UK. They experienced two significant data breaches in 2023. The 2023 Capita data breaches could affect millions of people, including UK pension holders, people on benefits, Capita employees and more.
Since our first article about the Capita Data Breach, there have been several developments, including the uncovering of another breach that supposedly affects the data of people on benefits from several local councils.
In this article, we’re going to provide an update on the Capita data breaches 2023 and run through everything you need to know and what actions you should take if you think you have been affected.
The Capita Data Hack
The first Capita data breach relates to a ransomware cyber-attack that Capita suffered in March 2023. Criminals managed to exfiltrate data from Capita’s servers. The Information Commissioners Office has said that around 90 organisations reported they have been affected by the breach.
Capita provides outsourced pension administration services to over 450 pension providers in the UK, including AXA, Royal Mail and PwC, administering the pensions of around 4.5 million people. The cyber-attack prompted The Pensions Regulator (TPR) to write to more than 300 pension funds to ask them to check whether their data had been stolen by the hackers.
“As trustees, you are responsible for the security of your members’ data. If you use Capita’s services, you should check whether your pension scheme’s data could be affected. Make sure you keep communicating with Capita as the situation evolves.”
They told trustees to “contact their members proactively to warn them about pension scams and keep them updated while you confirm whether a data breach has taken place.”
We believe that over a million UK pension holders could be at risk due to this cybersecurity incident. The Information Commissioners Office (ICO) has said that around 90 organisations have reported breaches of personal data stored by Capita.
The affected pension schemes include:
- Universities Superannuation Scheme (USS)
- Marks and Spencer
- Royal Mail
- BAE Systems
- Mineworkers Pension Scheme
The impact of this breach is still being determined, so new pension schemes may be added to this list.
The Universities Superannuation Scheme (USS), which is Britain’s largest private pension plan, warned its half a million members of the potential dangers, saying that the data on Capita’s servers related to 470,000 deferred and retired members and Capita has advised them to assume some data had been accessed or copied. This is just from one pension scheme.
The cyber-attack is also said to have affected NHS England, with files containing the names and NHS numbers of deceased and deregistered patients among the documents accessed.
What caused the Capita data hack?
Russian hackers have taken responsibility for the data hack. The ransomware group Black Basta claimed they were the perpetrators of the attack. These cybercriminals infiltrated Capita’s systems and stole the data of hundreds of thousands of people, and they have since reportedly leaked Capita customer data on the dark web.
The outsourcer admitted that the hackers have accessed its systems for almost 10 days before the breach was discovered.
What data is likely to have been breached?
The two Capita data breaches contained significant sensitive data. In the first major breach that affected pension providers, the data that reportedly could have been accessed is the person’s title, initial(s), full name, date of birth, National Insurance number, pension fund member number, and retirement date.
Other organisations have reported that passport photos, bank account details, home addresses and phone numbers could also have been breached and uploaded to the dark web.
The second Capita data breach
In May 2023, it was reported that Capita had suffered its second data breach in under two months. The Information Commissioner’s Office (ICO) said in a statement that a “second breach emerged in May when it was reported that the firm had left benefits data files in publicly accessible storage, prompting several councils to say they thought their data had been compromised.”
This data security incident is said to have affected several local authorities, including:
- Colchester Council
- Coventry City Council
- Derby City Council
- Adur and Worthing Council
- Rochford District Council
- South Staffordshire Council
Colchester Council expressed its “extreme disappointment with Capita” after it found that benefits data for 2019-20 and 2020-21 were supposedly exposed.
This unsecured file was said to have contained half a terabyte of data and had been left exposed online and unprotected as far back as 2016.
While it’s believed no criminals were involved in this second Capita data storage breach, we recommend those potentially affected be extremely vigilant as the data has been publicly accessible online for many years.
How did the second Capita data leak occur?
This data breach supposedly occurred due to an exposed “Amazon S3 bucket.” Amazon S3 is a cloud-based service used by many companies. However, leaving S3 buckets open poses a cybersecurity risk, as anyone who knows where to look could access, alter or delete the data within.
The most likely cause of these files being left exposed is cloud misconfiguration or oversight in setting up the bucket’s permissions. Amazon S3 buckets are private by default, so only the account owner and those with permission granted to them can access the bucket and the content within. However, sometimes, when the bucket is configured, someone could accidentally set the permissions to public.
What data is said to have been breached?
Reportedly, in this second breach that affected local councils, benefit details, including PIP (Personal Independent Payment), may have been accessed.
Capita employee data could also have been breached
The Communications Workers Union (CWU) has called for Capita to come clean and clarify the extent to which Capita employee data was affected by the data breach amid growing unease as to the nature and scale of the threat the data breach could pose to employees.
Despite initially assuring people that the criminal hacking was “limited to the Capita network” and that there was “no evidence of colleague, client or customer data having been compromised,” media speculation has continued to mount evidence that this may be more serious than originally thought.
Back in April, Capita CEO Jon Lewis revealed that “there is now some evidence of a limited amount of data leaving the business from a small proportion of our servers.”
“Investigations are ongoing,” the CEO continued, but this might include colleague data.”
The Financial Times also reported in July that Capita’s pension fund was affected by the breach in March.
“We are informing those we have identified to be affected by the incident, and Capita colleagues are being contacted wherever necessary as part of the process,” Capita said.
This notification sent to Capita’s pension fund members came more than three months after the hack.
The CWU issued an urgent demand to Capita to clarify the extent to which employees should be concerned about the security of sensitive personal information held on the company’s systems. They said that it has “naturally created a plethora of questions” for Capita employees who are part of the union.
In a joint statement issued to Capita members by the CWU last week, CWU national officer Tracey Fussey, and acting deputy general secretary (Postal) Andy Furey, hit out at Capita’s “continuing failure to keep the CWU properly informed on matters that have a clear and urgent relevance to the union’s Capita members.”
They state they are seeking an urgent meeting to discuss the breach with Capita and the impact of this on its members.
Speaking to CWU news, Tracey Fussey stated:
“Capita owes it to its employees to answer these questions as soon as is humanly possible – and members can rest assured that CWU will keep up the pressure until it does.”
Victims of the Capita data breaches could be at risk
Millions of people could be affected by the Capita data breaches, with 90 organisations already reporting their data having been affected to the ICO, and investigations are still underway. Capita has stated that they believe the cyber-attack will cost them around £20 million in specialist professional fees, recovery and remediation costs and investment to reinforce its cybersecurity defences and strengthen its IT security.
After experiencing a data breach, affected individuals are at an increased risk of further attacks and fraudulent activity. Anyone who has been made aware that their data has been affected in either of these Capita data breaches must be extremely vigilant and cautious. We often see people who are the victims of similar data breaches become the target of cybercriminals who then send out phishing attacks or attempt fraud and identity theft. Some victims have already reported experiencing unauthorised banking activity, such as takeaway orders being placed on their accounts.
Some individuals have been offered credit monitoring following the breaches to keep an eye on their accounts in case someone tried to take out any form of credit in their name or any other fraudulent activities. We strongly recommend if you have been offered this credit monitoring service (e.g. from Experian), that you take it. This will help you to identify any fraudulent attempts to use your compromised data.
Although this is little comfort for those that have been affected. One USS member described it as a “non-solution that places the onus on the victims to monitor our potential identity theft.”
One PwC pension fund member said they would like to change their complete identity as “there’s so much of me that’s now out in the hands of somebody else who can choose to use it however they want.”
Who is responsible for securing my data?
While both of these breaches occurred on Capita, they may not be the company you have supplied your data to. As an outsourcing and professional services company, they handle and store the data of many different companies and large organisations such as the NHS, the UK military, The Ministry of Defence and The Royal Bank of Scotland.
While it was Capita data that was hacked in the first data breach, the pension schemes that outsource to Capita are responsible for member data. Therefore, if you have been affected by this, your pension provider should have written to you to make you aware your data could have been affected.
In the second breach, the unsecured S3 bucket was controlled by Capita, but the local authorities whose data they stored are responsible for looking after the benefit data given to them. Therefore, if you have been affected by this breach, you should have been contacted by your local authority to make you aware of the breach.
What to do if you have been affected by the Capita data breaches
Becoming the victim of a data breach can be a very distressing experience. Victims often experience stress, fear and anxiety at the thought of their personal information being exposed. Not knowing who has accessed your data or what they could do with it is a very harrowing experience. Not to mention the increased threat of further scams, fraud and even identity theft which can lead to huge financial losses.
We understand the difficulties faced by those who are victims of data breaches, and we want to help. Read our article about what to do after experiencing a data breach so you can learn how to protect yourself effectively if you’re in this situation.
You can also take out a claim for compensation against the organisation responsible for the breach of your data. In this case, you can make a Capita data breach claim for compensation if you have been contacted to be made aware your data has been affected in either of the two Capita data breaches. Our expert data breach solicitors have many years of experience helping clients successfully obtain the compensation they deserve after suffering a data breach.
We’re here to help you every step of the way and are well-versed in the laws and regulations around the storage of data, data protection laws, and data breach claims. We even offer free consultations, and if we believe you have a case, we can handle your claim on a no-win, no-fee basis. This means you don’t have to pay a penny upfront to start your claim.
Get in touch with our team today if you have been affected by the Capita data breaches. Start your claim for free by filling in our online claim form, or contact the team at 0151 668 0810 or firstname.lastname@example.org. There are no costs for speaking to our team, and you are under no obligation to proceed if you choose not to.
Let us help you get the compensation you deserve, so you can get your life back on track.