The Pensions Regulator is writing to trustees at hundreds of pension funds asking them to ensure members’ information has not been compromised following a data hack at scheme administrator Capita.
Capita — the UK’s largest outsourcing company — was hacked by a Russian group, called Black Basta last month, according to reports in The Sunday Times.
Capita initially claimed there was no data breach, but later reports suggest details of some Capita clients, including bank account numbers and passport pictures, have been uploaded onto the dark web.
The Pension Regulator has now become involved, writing to trustees of 300 schemes which use Capita’s administration services.
In total Capita’s systems administer pensions for about 4.5m people on behalf of 450 organisations. This includes both DC and DB schemes for companies like Axa, the Royal Mail and PwC as well as public bodies like schools.
A spokesperson for The Pensions Regulator says: “In light of the cyber incident directed at Capita, we have asked trustees of schemes which employ Capita as their administrator to speak with the company to understand more about the situation and to help determine whether there is a risk to their scheme’s data.
“If a trustee establishes that their scheme has suffered a data loss, they have a duty to notify TPR, other authorities and impacted individuals. Our communication requires trustees to read TPR’s and the ICO guidance on cyber and IT security and to make sure they are familiar with their responsibilities.
“We are also asking schemes to report to us what steps they have taken to ensure their obligations as data controller have been met.”
He adds: “We take IT security and the risk of cyber attacks extremely seriously. That’s why we have issued guidance for trustees.”
Pension PlayPen director Henry Tapper has been critical of the Capita’s initial response to the data breach, which appeared to downplay the seriousness of the attack. He also questioned whether TPR could have acted sooner.
He says: ““This [data hack] happened in March, which is it now — in May — that The Pension Regulator is doing something about it?
“Capita first disclosed in late March an ‘IT issue’ that left staff unable to access some systems and disrupted services provided to local authority clients. The outsources confirmed on APril 20 that there had been a data breach and that hackers may have accessed customer and internal data.
He adds: “Whatever damage limitation plan Capita has had in place, it doesn’t look like it’s working. The problem for the members whose data may have been compromised is that you can’t search the dark web for what is known about you. If your details are for sale, then there is little you , your trustees or Capita can do about it.
Writing on his blog he added that this incident, and its response, could proving damaging for Capita’s reputation within the workplace pensions industry, particularly as the company is “supposed to be at the forefront of protecting us from data hacks so this is not a good look.”
In a statement Capita said: “Since March 31st we have been in regular contact with trustees and regulators and we will keep them updated as our investigation into the cyber incident progresses.”