Universities Superannuation Scheme, the UK’s largest private pension provider, says Capita has warned that details of almost half a million members were held on servers accessed during the recent breach.
The USS made the disclosure today, saying that it uses Capita technology platform, Hartlink, to manage in-house pension administration processes, and was working closely with the scandal struck Capita since the digital burglary in March.
Layoff-happy Capita charges staff to use cutlery in canteens
“While it has been confirmed that USS member data held on Hartlink has not been compromised, we were informed on Thursday 11 May that regrettably details of USS members were held on the Capita servers accessed by the hackers,” USS said on its website today.
The data potentially accessed includes title, initials and name, date of birth, National Insurance number and US member number. It dates from early 2021 and covers “around 470,000 active, deferred and retired members.”
“While Capita cannot currently confirm if this data was definitively ‘exfiltrated’ (ie, accessed and/or copied) by the hackers, they recommend we work on the assumption it was,” the USS adds in a statement on its website today.
USS says it is waiting for Capita to send over specific data that it will need to check and process. “We will be writing to each of the members affected by this – and, where applicable, their employers – as soon as possible to make them aware, to apologise for any distress or inconvenience caused, and to provide ongoing support and advice.”
Crooks broke into Capita’s IT infrastructure in March and weren’t spotted by the tech services biz for nine days until March 31, when it was forced to shut down systems to contain any spread of infection. In early April, Capita confirmed it was dealing with a “cyber incident,” and has since issued updates but has yet to confirm what type of security nasty it was trying to mitigate.
Russian ransomware crew Black Basta has claimed responsibility, saying it had put up for sale sensitive documents including passport details, bank account information and more. Capita has kept quiet on the culprit but initially said 4 percent of its servers were accessed and it had evidence data was exfiltrated.
Last week, Capita – which administers 450 pensions in the UK with 4.3 million members – wrote to pensions customers warning that servers accessed may have contained their data. This week, Capita told investors the cost of cleaning up the breach would run to £20 million ($25.24 million).
Capita also claimed that “some data was exfiltrated from less than 0.1 percent” of its server estate, though the nature of that data could be highly sensitive.
In a statement sent to The Register, a Capita spokesperson said: “Capita continues to work closely with specialist advisers and forensic experts to investigate the incident and we have taken extensive steps to recover and secure the data.
“In line with our previous announcement, we are now informing those we have identified to be affected. We have worked quickly to provide our clients with information, reassurance and support, while delivering for them as a business. In instances where we need to provide further support to those affected, we will do so.”
We asked The Pension’s Regulator to comment. Last week it told us this was an ongoing and developing situation with fresh details emerging daily.
The cost of the clean-up effort is one aspect for Capita, but as analyst Megabuyte noted this week: “reputational damage for a key supplier to critical UK government services such as Capita is likely far greater.” ®