UK Regulators Warn Pensions to Check Data After Capita Breach

TPR, FCA and ICO are urging Capita clients to find out if any of their data has been stolen.

U.K. regulators are asking hundreds of pension plans and other firms to check to see if any of their data has been stolen following a security breach at pension administrator Capita plc.


Capita is one of the largest third-party administrators in the U.K, and, according to the firm, administers more than 450 pension plans with 4.3 million participants. The company announced in early April it had “experienced a cyber incident” on March 31 that mainly affected access to internal applications.


After investigating the matter, the firm determined that the initial unauthorized access of data took place on or around March 22 and was interrupted by Capita on March 31. Although the company said the interruption significantly restricted the hack, it also said there was “some evidence of limited data exfiltration from the small proportion of affected server estate which might include customer, supplier or colleague data.” 


As a result of the breach, The Pensions Regulator, the U.K.’s watchdog for workplace pensions, sent a letter to hundreds of pension plan trustees to inform them of risk to their plan’s data. The Financial Conduct Authority and the Information Commissioner’s Office, which is the U.K.’s independent body for upholding information rights, are also urging companies to find out if any data has been stolen.


“We are continuing to closely monitor the incident at Capita,” said a TPR spokesperson, who declined to share the letter sent to pension trustees. “We are engaging directly with the company regarding their communications with schemes, and we are in discussions with other regulators, trustees of schemes and relevant organizations.”


The FCA said it continues to engage with Capita to understand the extent of any data compromise and impact on the firms to which they provide outsourced services. “We have also written to FCA-regulated firms that are clients of Capita to ensure they are fully engaged in understanding the extent of any data compromise,” the FCA said.


The ICO released a statement that other affected organizations “should also consider their position and report data breaches where necessary.”


The ICO said companies must notify it within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms. It also cautioned that if a firm decides a breach does not need to be reported, “they should keep their own record of it and be able to explain why it wasn’t reported, if necessary.”


Related Stories:

SEC Settles Charges with Firm Over Failing to Report Hacking Attempts

Texas ERS Hacker Gets 8 Years in Prison

Your Hacking Risk: What You Don’t Know Really Can Hurt You



Tags: , , , , , , , , , ,