Capita has warned the pension schemes of Marks and Spencer, Diageo, Unilever and Rothesay that their members’ personal data was likely to have been stolen by hackers during a cyber attack at the UK outsourcer.
The pension funds were among hundreds of private sector retirement schemes that used Capita to support their pension administration services. Capita detected a cyber incident in March and confirmed in April that it had been the victim of a hack that had affected some customers.
The M&S pension scheme said on Thursday the attack may have affected the security of personal data for a “large proportion” of scheme members including the “majority” of pensioners who had worked at the retailer.
It added that “if personal data is accessed it could be used for fraud, identity theft or to send malicious emails”.
“Capita cannot be certain that this data has been accessed, but we believe it’s appropriate to act as if this is the case and warn affected members about the potential risks,” the pension scheme said in a statement, published on its website.
According to its 2021 accounts, the M&S pension scheme had 106,000 members with about 53,000 of those pensioners. Trustees of the M&S pension plan declined to comment beyond the statement on the website.
Meanwhile, Diageo said some of its 32,000 pension members had been affected by the incident. The drinks maker said it was still working with Capita to establish the full impact of the hack.
Some Diageo pension scheme members are now being offered by Capita complimentary membership to a service that helps detect possible misuse of personal data.
Diageo said: “We have written to those members to assure them that there has been no impact to the Diageo Pension Scheme and that their benefits are safe.” The possible data breach around Diageo’s pension plan was first reported by The Scotsman.
The announcements from Capita’s private sector clients come nearly two months after the outsourcer first detected a cyber incident. The outsourcer had initially said last month that there was “no evidence” to indicate customer data being compromised by the hack.
On Thursday, USS, the UK’s biggest private sector pension plan, said it would offer free access to an identity protection service after members’ details were put at risk by the Capita hack. USS is a Capita client that last week announced 470,000 members’ details were at risk.
“We will be writing to [the members] as soon as possible setting out how [the identity protection service] will work,” USS said in a statement.
USS declined to comment on how the ID theft protection service would be funded. But the company understood that this would not be paid from members’ funds.
Aaron Le Marquer, head of policyholder disputes department at UK law firm Stewarts, said it was highly likely that other affected pension plans or other financial institutions whose customer data was at risk of being compromised by the Capita breach would be offering similar protection to their members or customers.
They would probably “seek to recover such costs from Capita, leading to the question of whether Capita is covered for such third-party liabilities under the terms of its cyber insurance,” he warned.
USS declined to comment on whether it would retain Capita’s services.
Meanwhile, Derby city council became the latest local authority to reveal that it had been affected by a separate data security incident in which files, including details on benefit payments, were left exposed on an unsecured Amazon Data Bucket controlled by Capita. The council said it was reviewing its arrangements with Capita.
The Information Commissioner’s Office, the data regulator, said if a person’s identity was stolen, the victim was at risk of losing money and could find it difficult to acquire loans, credit cards or a mortgage.
Capita said it was informing affected clients and that it was working closely with “specialist advisers and forensic experts to investigate the incident and we have taken extensive steps to recover and secure the data”. It previously said that “in instances where we need to provide further support to those affected, we will do so”.
This story has been amended to clarify Aaron Le Marquer’s job title.