On Sunday, the press reported that data is being leaked online after outsourcing firm Capita experienced what it described as “a cyber incident” on 31 March. Capita has said its investigations have so far not confirmed any evidence of data having been compromised. 

 

Capita handles the data of many UK pension schemes in its capacity as third-party administrator. On 3 April, it revealed that its internal system could not be accessed by staff from 31 March.  

 

Although the firm itself did not disclose the nature of the “incident”, some reports now say it was a ransomware attack by Russian gang Black Basta, which has conducted breaches in several Western countries mainly across construction, manufacturing and healthcare since early 2022. Data being leaked online includes bank accounts and phone numbers, according to the Sunday Times. 

 

Capita said on 3 April it took immediate steps “to successfully isolate and contain the issue”, which was limited to parts of the Capita network, adding that “there is no evidence of data having been compromised”. 

 

As there are now reports that data apparently obtained from Capita has been leaked online, the firm is coming under fire for not having been transparent enough about the severity of the breach. 

 

Capita told mallowstreet on Monday: “We continue to work closely with specialist advisers and forensic experts in investigating the incident. We are in constant contact with all relevant regulators and authorities. Our investigations have not yet been able to confirm any evidence of customer, supplier or colleague data having been compromised.” 

 

It added: “Once our investigations have concluded, we will, if necessary, inform any impacted parties. We have taken all appropriate steps to ensure the robustness of our systems and are confident in our ability to meet our service delivery commitments.” 

 

 

A spokesperson for the Pensions Regulator said: "We are aware of the incident at Capita and we are engaging directly with the company, other regulators and relevant organisations.” 

  

The spokesperson added: “Any cyber security breach demonstrates the importance of having a robust cyber security and Business Continuity Plan in place, which should be part of the internal controls run by any scheme. Scheme trustees should continue to use our guidance on cyber security to check that their own cyber security plans are up to date.” 

  

Under the regulator’s guidance, trustees of a scheme that has suffered a breach have a duty to notify other parties, including the Information Commissioner’s Office, TPR or the Financial Conduct Authority as appropriate, as well as law enforcement in cases of fraud, third parties, and “if necessary”, scheme members.  

  

Some of the UK pension schemes impacted by the Capita breach have notified their members already. Diageo’s pension fund shared an update on the incident on its member portal on 3 April, saying the outage “caused disruption to some services provided to individual clients [of Capita], including the pensions administration services that are used to manage the Diageo pension schemes”. 

 

The scheme said at the time that “once the pensions system has been restored, Capita will prioritise any outstanding payments and settlements”, telling members to expect a delay in all other requests while the administrators are catching up. 

 

The British Coal Staff Superannuation Scheme and the Mineworkers’ Pension Scheme have also been affected. On 6 April, the respective trustees told members that their administration teams are working to resolve any outstanding member queries as soon as possible, both adding: “We have also received further reassurances from Capita that no member data has been compromised." 

 

 

Hacking is now a reality of business life. In 2020, industry commentators noted a well-known pensions administrator had become the victim of a ransomware attack. Last year, 39% of UK businesses experienced a cyber attack, according to the Department for Digital, Culture, Media & Sport. Of the 39%, around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware or ransomware attack.  

 

The Pensions Regulator’s former executive director of analysis, advice and regulatory policy, David Fairs, warned pension funds in 2019 that “it’s not a case of if you will be attacked, it’s a case of when”.  

  

He said at the time that TPR has seen phishing emails purporting to come from master trusts, and membership lists being sold on the dark web for around $15 per member record. Cases of ‘whaling’ have also been observed, where typically a financial controller receives an email which appears to come from the CEO, requesting to settle an invoice.  

 

The Institute and Faculty of Actuaries has produced a paper on the key cyber risks faced by pension schemes, how these risks can be managed, and who is responsible for managing them. 

   

 

    

What steps can trustees and administrators take to minimise the impact of a cyber attack?