Mon-Thu 09:00-18:00 | Fri 09:00-17:00

Capita data breaches 2023: Everything you need to know

Capita is one of the UK’s largest business processes outsourcing and professional services companies. It is a major contractor for the UK government, local authorities and many huge organisations throughout the UK. They experienced two significant data breaches in 2023. The 2023 Capita data breaches could affect millions of people, including UK pension holders, people on benefits, Capita employees and more.

Since our first article about the Capita Data Breach, there have been several developments, including the uncovering of another breach that supposedly affects the data of people on benefits from several local councils. More recently, it was also reported that the Capita data breach could have affected up to 30,000 primary pupils personal data. The breach is said to have cost Capita up to £25 million.

In this article, we’re going to provide an update on the Capita data breaches 2023 and run through everything you need to know and what actions you should take if you think you have been affected.

The Capita Data Hack 

The first Capita data breach relates to a ransomware cyber-attack that Capita suffered in March 2023. Criminals managed to exfiltrate data from Capita’s servers. The Information Commissioners Office has said that around 90 organisations reported they have been affected by the breach.

Capita provides outsourced pension administration services to over 450 pension providers in the UK, including AXA, Royal Mail and PwC, administering the pensions of around 4.5 million people. The cyber-attack prompted The Pensions Regulator (TPR) to write to more than 300 pension funds to ask them to check whether their data had been stolen by the hackers.

In a statement on their website published on 12 May 2023, The Pensions Regulator said:

“As trustees, you are responsible for the security of your members’ data. If you use Capita’s services, you should check whether your pension scheme’s data could be affected. Make sure you keep communicating with Capita as the situation evolves.”

They told trustees to “contact their members proactively to warn them about pension scams and keep them updated while you confirm whether a data breach has taken place.”

An retired woman reading about her pension from a piece of paper, calculating something on a calculator. She's sat at a table with a laptop to the side of her and a coffee.

We believe that over a million UK pension holders could be at risk due to this cybersecurity incident. The Information Commissioners Office (ICO) has said that around 90 organisations have reported breaches of personal data stored by Capita.

The affected pension schemes include:

  • Universities Superannuation Scheme (USS)
  • Unilever
  • Marks and Spencer
  • PwC
  • Royal Mail
  • Rothesay
  • BAE Systems
  • Diageo
  • Mineworkers Pension Scheme
  • Capita

The impact of this breach is still being determined, so new pension schemes may be added to this list.

The Universities Superannuation Scheme (USS), which is Britain’s largest private pension plan, warned its half a million members of the potential dangers, saying that the data on Capita’s servers related to 470,000 deferred and retired members and Capita has advised them to assume some data had been accessed or copied. This is just from one pension scheme.

The cyber-attack is also said to have affected NHS England, with files containing the names and NHS numbers of deceased and deregistered patients among the documents accessed.

The cost of the Capita data breach

This data breach has reportedly cost Capita as much as £25m. In August, Capita estimated that the financial costs associated with the “cyber incident” would be between £20m and £25m, where previous estimations were £15m to £20m. The group said this new figure reflected the complexities of analysing the “exfiltrated” data, as well as costs of recovery and remediation, as well as investment more to improve its cybersecurity.

This does not include any potential fine Capita may face from the incident, or the cost of any compensation the company may have to pay out to those affected. Capita also have not disclosed whether they paid a ransom to the hackers, who often try to extort money from companies who they steal data from.

The results of this breach have been catastrophic for Capita. In August, their shares fell by more than 12% in one day after releasing the results of the costs of the breach. Capita has reported a pre-tax loss of £67.9m in the six months to the end of June 2023, compared to a profit of £100,000 the previous year. This is said to be related to the costs associated with the data breach.

It was also reported earlier this year that Jon Lewis, the chief executive of Capita is to step down from his role by the end of the year to make way for Adolfo Hernandez, the vice-president of telecommunications at Amazon Web Services.

What caused the Capita data hack? 

Russian hackers have taken responsibility for the data hack. The ransomware group Black Basta claimed they were the perpetrators of the attack. These cybercriminals infiltrated Capita’s systems and stole the data of hundreds of thousands of people, and they have since reportedly leaked Capita customer data on the dark web.

The outsourcer admitted that the hackers have accessed its systems for almost 10 days before the breach was discovered.

What data is likely to have been breached? 

The two Capita data breaches contained significant sensitive data. In the first major breach that affected pension providers, the data that reportedly could have been accessed is the person’s title, initial(s), full name, date of birth, National Insurance number, pension fund member number, and retirement date.

Other organisations have reported that passport photos, bank account details, home addresses and phone numbers could also have been breached and uploaded to the dark web.

In September 2023, it was reported that tens of thousands of primary pupils details may also have been stolen during the Capita data breach. Capita runs several services for the Department for Education, including administering primary school SATS for the Standards and Testing Agency (STA). Documents that were obtained by Schools Week have revealed that up to 30,000 students personal data records under the STA are believed to have been exfiltrated.

In its report to the Information Commissioners Office (ICO) the DfE said this pupil data includes pupil names, dates of birth, pupil IDs, test types and school reference numbers, as well as other non-identifiable management data. They went on to say that it did not contain “any addresses for the pupils or contact details, names of schools, exam results or any special category personal data or financial information.”

The DfE said in May that “Whilst name and date of birth are unlikely to present a high risk, should the information be made public for sale, it is likely to cause distress.” However, they went on to say because there “is not a high risk posed, we are currently unlikely to inform the STA data subjects.”

The second Capita data breach 

In May 2023, it was reported that Capita had suffered its second data breach in under two months. The Information Commissioner’s Office (ICO) said in a statement that a “second breach emerged in May when it was reported that the firm had left benefits data files in publicly accessible storage, prompting several councils to say they thought their data had been compromised.”

This data security incident is said to have affected several local authorities, including:

  • Colchester Council
  • Coventry City Council
  • Derby City Council
  • Adur and Worthing Council
  • Rochford District Council
  • South Staffordshire Council

Colchester Council expressed its “extreme disappointment with Capita” after it found that benefits data for 2019-20 and 2020-21 were supposedly exposed.

This unsecured file was said to have contained half a terabyte of data and had been left exposed online and unprotected as far back as 2016.

While it’s believed no criminals were involved in this second Capita data storage breach, we recommend those potentially affected be extremely vigilant as the data has been publicly accessible online for many years.

Capita data breaches concept image. A circuit board with blue lines leading toward a read broken cloud symbol with the word 'Breach!' written above it.

How did the second Capita data leak occur? 

This data breach supposedly occurred due to an exposed “Amazon S3 bucket.” Amazon S3 is a cloud-based service used by many companies. However, leaving S3 buckets open poses a cybersecurity risk, as anyone who knows where to look could access, alter or delete the data within.

The most likely cause of these files being left exposed is cloud misconfiguration or oversight in setting up the bucket’s permissions. Amazon S3 buckets are private by default, so only the account owner and those with permission granted to them can access the bucket and the content within. However, sometimes, when the bucket is configured, someone could accidentally set the permissions to public.

What data is said to have been breached? 

Reportedly, in this second breach that affected local councils, benefit details, including PIP (Personal Independent Payment), may have been accessed.

Capita employee data could also have been breached 

The Communications Workers Union (CWU) has called for Capita to come clean and clarify the extent to which Capita employee data was affected by the data breach amid growing unease as to the nature and scale of the threat the data breach could pose to employees.

Despite initially assuring people that the criminal hacking was “limited to the Capita network” and that there was “no evidence of colleague, client or customer data having been compromised,” media speculation has continued to mount evidence that this may be more serious than originally thought.

Back in April, Capita CEO Jon Lewis revealed that “there is now some evidence of a limited amount of data leaving the business from a small proportion of our servers.”

“Investigations are ongoing,” the CEO continued, but this might include colleague data.”

The Financial Times also reported in July that Capita’s pension fund was affected by the breach in March.

“We are informing those we have identified to be affected by the incident, and Capita colleagues are being contacted wherever necessary as part of the process,” Capita said.

This notification sent to Capita’s pension fund members came more than three months after the hack.

The CWU issued an urgent demand to Capita to clarify the extent to which employees should be concerned about the security of sensitive personal information held on the company’s systems. They said that it has “naturally created a plethora of questions” for Capita employees who are part of the union.

In a joint statement issued to Capita members by the CWU last week, CWU national officer Tracey Fussey, and acting deputy general secretary (Postal) Andy Furey, hit out at Capita’s “continuing failure to keep the CWU properly informed on matters that have a clear and urgent relevance to the union’s Capita members.” 

They state they are seeking an urgent meeting to discuss the breach with Capita and the impact of this on its members.

Speaking to CWU news, Tracey Fussey stated:

“Capita owes it to its employees to answer these questions as soon as is humanly possible – and members can rest assured that CWU will keep up the pressure until it does.”

Lines of blue padlock symbols on a screen with a single red unlocked padlock in the middle representing a breach.

Victims of the Capita data breaches could be at risk 

Millions of people could be affected by the Capita data breaches, with 90 organisations already reporting their data having been affected to the ICO, and investigations are still underway. Capita has stated that they believe the cyber-attack will cost them around £20 million in specialist professional fees, recovery and remediation costs and investment to reinforce its cybersecurity defences and strengthen its IT security.

Capita said in August 2023 that it had nearly finished its investigation into the incident, confirming some data had been exfiltrated from its IT systems but added this was less than 0.1% of its sever estate. The company added: “That data has been recovered and extensive steps have been taken to secure the data. Impacted customers, suppliers and employees have now been contacted and we are supporting those whose data was exfiltrated.”

After experiencing a data breach, affected individuals are at an increased risk of further attacks and fraudulent activity. Anyone who has been made aware that their data has been affected in either of these Capita data breaches must be extremely vigilant and cautious. We often see people who are the victims of similar data breaches become the target of cybercriminals who then send out phishing attacks or attempt fraud and identity theft. Some victims have already reported experiencing unauthorised banking activity, such as takeaway orders being placed on their accounts.

Some individuals have been offered credit monitoring following the breaches to keep an eye on their accounts in case someone tried to take out any form of credit in their name or any other fraudulent activities. We strongly recommend if you have been offered this credit monitoring service (e.g. from Experian), that you take it. This will help you to identify any fraudulent attempts to use your compromised data.

Although this is little comfort for those that have been affected. One USS member described it as a “non-solution that places the onus on the victims to monitor our potential identity theft.”

One PwC pension fund member said they would like to change their complete identity as “there’s so much of me that’s now out in the hands of somebody else who can choose to use it however they want.”

A person's hand holding a white iPhone with a security breach warning sign on the screen.

Who is responsible for securing my data? 

While both of these breaches occurred on Capita, they may not be the company you have supplied your data to. As an outsourcing and professional services company, they handle and store the data of many different companies and large organisations such as the NHS, the UK military, The Ministry of Defence and The Royal Bank of Scotland.

While it was Capita data that was hacked in the first data breach, the pension schemes that outsource to Capita are responsible for member data. Therefore, if you have been affected by this, your pension provider should have written to you to make you aware your data could have been affected.

In the second breach, the unsecured S3 bucket was controlled by Capita, but the local authorities whose data they stored are responsible for looking after the benefit data given to them. Therefore, if you have been affected by this breach, you should have been contacted by your local authority to make you aware of the breach.

What to do if you have been affected by the Capita data breaches

Becoming the victim of a data breach can be a very distressing experience. Victims often experience stress, fear and anxiety at the thought of their personal information being exposed. Not knowing who has accessed your data or what they could do with it is a very harrowing experience. Not to mention the increased threat of further scams, fraud and even identity theft which can lead to huge financial losses.

We understand the difficulties faced by those who are victims of data breaches, and we want to help. Read our article about what to do after experiencing a data breach so you can learn how to protect yourself effectively if you’re in this situation.

You can also take out a claim for compensation against the organisation responsible for the breach of your data. In this case, you can make a Capita data breach claim for compensation if you have been contacted to be made aware your data has been affected in either of the two Capita data breaches. Our expert data breach solicitors have many years of experience helping clients successfully obtain the compensation they deserve after suffering a data breach.

We’re here to help you every step of the way and are well-versed in the laws and regulations around the storage of data, data protection laws, and data breach claims. We even offer free consultations, and if we believe you have a case, we can handle your claim on a no-win, no-fee basis. This means you don’t have to pay a penny upfront to start your claim.

Get in touch with our team today if you have been affected by the Capita data breaches. Start your claim for free by filling in our online claim form, or contact the team at 0151 668 0810 or enquiries@hnksolicitors.com. There are no costs for speaking to our team, and you are under no obligation to proceed if you choose not to.

Let us help you get the compensation you deserve, so you can get your life back on track.


Related Posts

Get in touch

Fill out the below form and one of our advisors will get in touch to arrange a consultation about your claim.

Recent Articles

Policeman and police motorcycle behind cordon tape at an accident or crime scene
Can I claim against the police?
March 22, 2024
Image of a person's legs lying on the floor next to a car. Car accident concept image.
HNK recover £99,700 for claimant injured during an attempted robbery on his vehicle
March 7, 2024
Photograph of two British transport police officers stood inside a train station.
Kent Police officer jailed for six months for inappropriate relationship with suspect
March 7, 2024
Call Us Claim Now