Hundreds of thousands of people are being warned that they could have been affected by the March attack on pensions administrator Capita after approximately 90 separate organisations reach out to the Information Commissioners Office (ICO) – the UK body responsible for data protection -for help and advice.
Earlier this month, The Pensions Regulator (TPP) wrote to over 300 pension funds asking them to check if their client data had been put at risk by the attack.
The UK’s main pension fund for university staff – The Universities Superannuation Scheme (USS) – is in the process of writing to all its 500,000 members to inform them their data was at risk.
As well a universities, Capita manage the pensions funds of thousands of companies and councils.
Some of the councils which have confirmed their data has been affected include Adur & Worthing, Coventry city council, Derby city council, Rochford district council and South Staffordshire council.
Some of the organisations known to be affected by the data breach are Marks & Spencer, Diego, Reuters
Ongoing Saga
Followers of my posts this year will know that I’ve been keeping a close eye on this story as it emerges to be the biggest cyber attack in the UK affecting PII (Personally Identifiable Information).
My posts on this story are listed here:
Hartlink
The cyber attack in March affected a number of pension funds which use a Capita-developed system called Hartlink which pensions operators use to administer the pension schemes for their millions of customers.
It is not yet known how the attack managed to compromise Hartlink – whether it was via a discovered vulnerability, compromised credentials, or even via an attack on the companies web-portal (hartlinkonline) which customers can use to manage aspects of their own pension schemes.
Hartlink was named after the original name for the Capita pensions administration business – Capita hartshead – which was based at Hartshead house in Sheffield, but was renamed in 2012 after the business acquired Bluefin Corporate Consulting.
The newly formed company was called Capita Employee Benefits and provided multiple benefits, such as medical care, gym memberships, and shopping discounts, etc. to employees of those companies within the Capita pensions schemes.
In 2020, Capita sold the Staff Benefits portion of its affairs to Benefex to return to purely pensions administration activities.
Its workforce comprises over 2,400 employees operating from 24 locations across the UK and Ireland.
“As one of the largest third-party administrators in the UK, we take care of all the time-consuming administrative load, so organisations are free to focus on what they do best. We administer over 450 pension schemes with 4.3 million scheme members, offering an extensive range of customisable modules through our market-leading pensions software solutions. This includes schemes of all shapes and sizes, from defined benefit, defined contribution, cash balance, hybrid or master trust, to schemes with multiple sections, payrolls and members.”
Pensions administration – Capita website statement
Capita Shares hit
It comes as no surprise to know that since the breach was announced, the share price for Capita (CPI) has taken a hit and has seen a steady fall over the last few weeks as more news of the extent of the breach comes to light.
Shares are currently trading at around 33.12 from a previous high of 42.64 back in the beginning of March