Dozens of organisations have reported breaches of personal information held by Capita, which suffered a cyber attack earlier this year and administers pension funds for several large employers.
According to The Guardian, around 90 organisations have been affected by the data breach and The Pensions Regulator (TPR) has written to more than 300 pension funds asking them to check whether their data has been stolen by hackers.
The outsourcing giant’s systems are used to manage the pension funds for several major employers, including Royal Mail and Axa.
A second Capita data breach emerged in May, when it was reported it had left benefits data files in a publicly-accessible area.
The Information Commissioner’s Office (ICO), the UK’s data watchdog, said it had received a “large number of reports” from organisations whose data has been directly affected.
“We are encouraging organisations that use Capita’s services to check their own position regarding these incidents and determine if the personal data they hold has been affected. If necessary, consider reporting a data breach to the ICO and we will use this information to inform our next steps,” the ICO said.
“Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms. If an organisation decides that a breach doesn’t need to be reported, they should keep their own record of it and be able to explain why it wasn’t reported if necessary.”
The Pensions Regulator said pension trustees are responsible for their own members’ data and should check if they have been affected. If it emerges that there has been a data breach in their scheme, they should contact the affected individuals and notify the TPR and ICO.
“This situation is likely to cause concern to members and you should be prepared to answer their queries. You should contact your members proactively to warn them about pension scams and keep them updated while you confirm whether a data breach has taken place. You should also monitor increased or unusual transfer requests,” it said in a statement earlier this month.
A spokesperson for The Pensions Regulator said: “We continue to work closely with Capita and other regulators.
“We are calling on all pension schemes administered by Capita to work with the company to understand how their scheme may have been impacted, to fulfil their responsibilities as data controllers and to warn members of the threat of scams and how to protect themselves. We are following up robustly with those pension schemes to ensure they do so.”
Earlier this month Capita said less than 0.1% of its data was affected and that it was working with regulators, customers, suppliers and colleagues to notify those impacted.
A Capita spokesperson said: “We are working with our third-party technical advisors to investigate this issue. The data is secure and no longer accessible. Our investigations into the matter are ongoing. The privacy and security of our client information is of the utmost importance to us.”
HR Systems opportunities on Personnel Today
Browse more HR systems jobs