Britain’s biggest pension fund the Universities Superannuation Scheme (USS) has revealed that data on 470,000 of its members may have been stolen during March’s cyberattack on Capita. It is the first indication of the extent of the breach at the outsourcing giant.
The fund manages assets worth £82bn, and is the UK’s largest private pension provider, acting as the principal pension scheme for universities and higher education institutions in the UK.
It said in a statement today that data on its members was compromised during the Capita hack. Capita had initially said no customer data was stolen in what it describes as a “cyber incident”, but later admitted it is likely some information had been taken, and said in an update this week that “data was exfiltrated from less than 0.1% of its server estate”.
USS data stolen in Capita hack
This apparently included data belonging to USS members. The pension fund said in a statement released today that “we were informed on Thursday 11 May that regrettably details of USS members were held on the Capita servers accessed by the hackers. The information potentially accessed includes their title, initials and name, their date of birth, their National Insurance number [and] their USS member number.
“The details, dating from early 2021, cover around 470,000 active, deferred and retired members.”
Personal data such as this can be used by hackers to launch social engineering attacks, where they impersonate victims to steal money, information or gain access to networks.
USS said that while “Capita cannot currently confirm if this data was definitively ‘exfiltrated’ (ie, accessed and/or copied) by the hackers, they recommend we work on the assumption it was”, and added that it would be contacting those affected.
The statement added that the fund is waiting on Capita to provide details on specific information that was accessed, and said: “We are sorry that member data has been accessed in this way.
“We are proactively engaging with Capita in respect of their ongoing investigations and are considering the next steps available to us. We also continue to engage with them about the ongoing support they will be providing to those affected.”
Capita cyberattack shockwaves continue
Tech Monitor reported last week that pension fund data may have been stolen in the breach, with financial regulator the Financial Conduct Authority writing to all UK funds that work with Capita. It provides services to hundreds of pension funds, as well as large swathes of the public sector.
The incident left staff at the outsourcing company without access to internal systems, and the knock-on effects saw services at organisations up and down the country disrupted for days.
In a statement released on Wednesday Capita said it is “working closely with all appropriate regulatory authorities and with customers, suppliers and colleagues to notify those affected and take any remaining necessary steps to address the incident.”
It expects the breach to cost it between £15-£20m.