USS — the UK’s biggest private sector pension plan — has warned that the personal data of about half a million members may have been stolen during a cyber attack on outsourcing group Capita.
The USS uses Capita’s technology to support its administration processes. Last month, the UK outsourcer confirmed it had suffered a cyber attack in late March.
USS said it had been informed on Thursday that “regrettably” details, including names, dates of birth and national insurance numbers, of about 470,000 members dating back to early 2021 were on the Capita servers accessed by the hackers.
“We are very sorry that some USS member data held by Capita may have been accessed by a third party,” said Bill Galvin, USS’s group chief executive.
USS added while Capita could not confirm if this data was definitively accessed or copied by the hackers, they had recommend that the pension group work on the assumption that it had. The pension plan would write to its members affected as soon as possible and provide support and advice, it said.
The USS statement came almost seven weeks after a cyber incident was first detected by Capita on March 22. This week Capita said that the attack would cost it up to £20mn although it declined to comment on whether it paid a ransom.
USS is among hundreds of private and public sector clients that use Capita for outsourcing. Capita is one of the UK government’s largest software and IT services providers, as well as running the London congestion charging zone, collecting the BBC licence fee and overseeing training for the Royal Navy.
It also delivers services to medical practitioners in England, assisting GPs, dentists, opticians and pharmacists with the ordering of medical supplies, the accessing of medical and pension records, and the processing of payments.
Big life insurers such as Aviva, Phoenix, Pension Insurance Corporation and Just Group also use Capita to administrate services such as pension payments and communications with savers.
Aviva reiterated on Friday that there was “no evidence” to suggest its customer data had been accessed, while the other companies declined to comment. Capita previously told Phoenix that its data had not been compromised, according to someone familiar with the interaction.
Capita declined to say how many of its clients were impacted by the hack.
But it said was working closely with specialist advisers and forensic experts to investigate the incident and had taken “extensive steps” to recover and secure the data.
“In line with our previous announcement, we are now informing those we have identified to be affected,” Capita said in a statement.
The Pensions Regulator said it was continuing to work with closely with scheme trustees, other regulators and Capita over the incident. “We are calling on all trustees to work with Capita to understand how their scheme has been impacted,” said TPR.