A second cyber incident has occurred at beleaguered outsourcer Capita, as it was found the firm was using publicly accessible storage for some data. 

  

The Information Commissioner’s Office has made a statement about Capita which referred to the cyber attack from March this year, as well as to a second incident. 

  

“We are aware of two incidents concerning Capita, regarding a cyber -attack in March and the use of publicly accessible storage,” an ICO spokesperson said on 25 May.  

 

“We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making enquiries," the spokesperson added.   

 

The ICO has told organisations they should determine if their data has been affected. Firms and funds must notify the ICO within 72 hours of becoming aware of a personal data breach, “unless it does not pose a risk to people’s rights and freedoms”. Those that do not report a breach should be able to explain why it was not reported. 

  

Hundreds of pension funds and pension providers employ Capita as their third-party administrator. Some funds, like the Universities Superannuation Scheme, have found that their members’ information – as well as names and dates of birth this includes national insurance numbers, membership numbers and retirement dates – was indeed leaked, and have made an identity protection service available for free.   

   

   

The Marks & Spencer Pension Scheme has notified its members that the breach “may have affected the security of personal data for a large proportion of our scheme’s members”, including the majority of pensioners and a small group of deferred members. 

It noted that “Capita cannot be certain that this data has been accessed, but we believe it’s appropriate to act as if this is the case and warn affected members about the potential risks”. 
  

The scheme has issued a letter with further information and support to affected members.  
  

Capita did not comment specifically on the publicly accessible storage incident but said it continues to work closely with specialist advisers and forensic experts to investigate the incident and has taken “extensive steps” to recover and secure the data. 

 

“In line with our previous announcement, we are now informing those we have identified to be affected. We have worked quickly to provide our clients with information, reassurance and support, while delivering for them as a business. In instances where we need to provide further support to those affected, we will do so,” a spokesperson for the firm said. 

  

The Pensions Regulator said it is working closely with Capita and other regulators and has called on all pension fund trustees with schemes using Capita to understand how their scheme might have been impacted and warn members of scams. 

  

“We are following up robustly with those pension schemes to ensure they do so,” a spokesperson said. 

 

How might the data breaches at Capita affect trust in pensions?